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(54) Secure data processor with cryptography and tamper detection 

(57) The present invention is embodied in a 
Secured Processing Unit (SPU) chip, a microprocessor 
designed especially for secure data processing. By inte- 
grating keys, encryption/decryption engines and algo- 
rithms in the SPU the entire security process is 
rendered portable and easily distributed across physical 
boundaries. The invention is based on the orchestration 
of three interrelated systems: (i) detectors, which alert 
the SPU to the existence, and help characterize the 
nature, of a security attack; (ii) filters, which correlate 
the data from the various detectors, weighing the sever- 
ity of the attack against the risk to the SPLTs integrity, 
both to its secret data and to the design itself; and (Hi) 
responses, which are countermeasures, calculated by 
the filters to be most appropriate under the circum- 
stances, to deal with the attack or attacks present. The 
present invention, with wide capability in all three of the 
detectors, filters and responses, allows a great degree 
of flexibility for programming an appropriate level of 
securrtyJjpolicy into an SPU-based application. 
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Description . 
1. BACKGROUND. V 

[0001] This invention relates generally to integrated circuits for electronic data processing systems and more specif- 
ically to the architecture, implementation and use of a secure integrated circuit which is capable of effectively preventing 
inspection, extraction and/or modification of confidential information stored therein. 

[0002] There are many applications in which information has io be processed and transmitted securely. Fa example, 
automated teller machines (ATMs) require the secure storage and transmission of an identifying key (in this context a 
password or PIN number) to prevent unauthorized intruders from accessing a bank customer's account. Similarly, pay- 
per-view (PPVj cable and satellite television systems must protect keys which both distinguish authorized from unau- 
thorized subscribers and decrypt encrypted broadcast television signals. ■ ^ 
[0003] Typically, one or more integrated circuits are used to process the information electronically. These integrated 
circuits may themselves store internal confidential information, such as keys and/or proprietary algorithms for encrypt- 
ing and decrypting that information, as well as implement the encryption/decryption "engine." Cleariy, there is a need 
for integrated circuits which are capable of preventing an unauthorized person from inspecting, extracting, and/or mod- 
ifying the confidential information processed by such integrated circuits. Further, it is someiimes desirable to destroy 
certain confidential information (e.g., the keys) and preserve other confidential information (e.g., historical data, such 
as accounting information used in financial transactions) upon detection of intrusion. 

[0004] One problem with existing security systems is that the confidential information (keys, encryption/decryption 
algorithms etc.) is, at some point in the process, available to potential intruders in an unencrypted ("cleartext") form in 
a non-secure environment What is needed is a single secure integrated circuit in which the keys and encryp- 
tion/decrvotjon engine and algorithms can be embodied and protected from intruders. Such an integrated arcurt would 
effectively' ensure that the information being processed (i.e.. inputs to the chip) is not made available off-chip to unau- 
thorized persons except in encrypted form, and would "encapsulate" the encryption/decryption process on the chip 
such that the keys and algorithms are protected, particularly while in cleartext form, from a vanety of potential attacks. 
[0005] Existing secure integrated circuits typically contain barriers, detectors, and means for destroying the confiden- 
tial information stored therein when intrusion is detected. An example of a barrier is the deposition of one or more con- 
di -ctive layers overlvino memory cells inside an integrated circuit These layers prevent the inspection of the memory 
cells by diagnostic tools such as a scanning electron microscope. An example of a detector and destroying means is a 
photo detector connected to a switching circuit which turns off power to memory cells inside a secure integrated circuit 
uoon'deteetj©n«of light. When power. isturned off, th^ may contain corrndentiahnfor- 

mation win be lost. The theory behind such a security mechanism is that the photo detector will be exposed to light only 
when the enclosure of the integrated circuit is broken, intentionally or by accident. In either event, it is often prudent to 
35 destroy the confidential information stored inside the integrated circuit. 

[(MOW One problem with existing security systems is the "hard-wired" nature of the process of responding to potential 
intrusions Such svstems are inherently inflexible because it is very difficult to change the behavior of the secunty fea- 
tures once the integrated circuit has been fabricated/The only way to after the behavior of these security features is to 
undertake the expensive and time^onsuming task of designing and fabricating a new integrated circuit. 
[0007] Another consequence of a, hardwired architecture is that it is difficult to produce custom security featuresfor 
low volume applications. This is because it takes a considerable amount of time and money to design, test, and fabri- 
cate an integrated droit Consequently, it is difttoutt ecajprnically to justify building small quantities of secure inte- 
grated circuits, each custorrfaed for a spatial emiionmehV ' ; _ 
[0008] There are many situations in which it is desirable to use the same secure integrated circuit, yet have the ability 
to modify the security features in accordance with the requirements of the application and environment For example, if 
the secure integrated circuit is used to process extremely sensitive information, it will be prudent to implement a con- 
servative security "policy" - e.g.. destroying all the confidential data (e.g:. keys) inside *e integrated circuit upon detec- 
tion of even a small deviation from a predetermined state. On the other hand, if the information is not very sensitive, and 
it is not convenient to replace the secure integrated circuit, the security policy could be more leraent - e.g.. action could 
so be taken only when there is a large deviation from. the predetermined state. «. 
[0009] Thus, it is desirable to have a secure integrated tircuit architecture in which a broad range of flexible security 
policies can be implemented. 
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9 SUMMARY OF THE INVENTION. 

[001 0] The present invention is embodied Tin a Secured Processing Unit (SPU) chip, a microprocessor designed espe- 
cially for secure data processing. By integrating the keys and the encryption/decryption engine and algorrthms in the 
SPU the entire security process is rendered portable and is easily distributed to its intended recipients, with complete 
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privacy along the way. This is accomplished by the following SPU-based fea-ures: positive identification and reliable 
authentication of the card user, message privacy through a robust encryption capability supporting the major crypto- 
graphic standards, secure key exchange, secure storage of private and secret keys, algorithms, certificates or, for 
example, transaction records or biometric data, verrfiability of data and messages as to their alteration, and secure 
authorization capabilities*, including digital signatures. 

[001 1] The access card could be seen as a form of electronic wallet, hpidinjg personal records, such as one's driver's 
license, passport, birth certificate, vehicle registration, medical ^ records, social security cards, credit cards, biometric 
information such as finger- and. voiceprints, [or. even digrtal cash. . 

[001 2] A personal access card contemplated fpr. eveicyday us? should be resilient to the stresses and strains of such 
use, i.e. going through X-ray machines at airports, the exposure! to heat if left in a jacket placed oh a radiator, a mistyped 
personal identification number (PIN}, by. a flustered owner, etc! Thus,, in such ah applicatibn. the'SPU could be pro- 
grammed with high tolerances to such abuses' *A^notodet%tipr trigg^ cueda'few moments later 
to see if the exposure had stopped. Qetectibri of .high i^ri^$ratur§f rhight need ip be coupled to other symptoms of attack 
before defensive action was takea A PIN number entry cpulibf forgiving for ; the first two ihcorrect entries before tem- 
75 porary disabling subsequeintfunc^ " 

. [0013] For an application Jike a Tessera Cwtb-Card, a s^u/e'c^^ Messaging 
System for sensitive government information, the system might be firogr^mfTi^d tq\b& jess forgiving, handling proce- 
dures for Tessera Card users may peverrt the types of cpmrnbn, eVeir^ay^ card. 
Thus, erasure of sensitive information might be .an early priority. ' "\ . . , : ' r . / ' t , t . " , .", 
20 [0014] Various.encryption schemes h^/e been propped, ^ authenticates a secure 

digital signature, which is very difficult to forge ^nritfius e^ualiy difficult to ri^udiate. B^use of aTac^of portable, per- 
sonal security, however, electronic cormiu™^ ^OT^? havVrfo^^^ 

. as a means of cxpnducring'many standard bgsiness i.#ah^^ '"Y^bri prwideis the level of security 

which makes such electronic commerce practical. Sucfi a system could n ittrtV b^tHr for n ew £nd pasting Applications, the 

25 number of fraudulent or bther^ ^ . . . .. . , . . 

[001 5] Another possible application is desk^ Pu^cna^nQ^ a delivery Sy^emjbr ^ahy' type of irrfbrmation product that 
, can be contained in electronic memory,, suph as moyie^; sottwaire or da^basesf Thus, rnultimedi^-based advertise- 
; ments, tutorials, demos, documentation arc* actual.prodgcts dan^be shipped to in end' user on a single encrypted CD- 
ROM or broadcast though suitabte RF or cable ch^nnels.Vir^ as digital information could 

3Q, be sold, qff-ljpe. i,e .at the desktop, with end u$eris*po^ibiy permitted tb browse and try such productsbefore buying. 
,v [0016] The enayptic^ca^ilitiesof the record 
us*age time, and subsequently upload the.u^ge tran^ctio^ billing service bureau in encrypted form, 

all with a high degree of security and dependatility. The SPU would decf ypit only the appropriate information and trans- 
fer it to a suitable storage medium, such; as a hard disk tor immediate use. 

35 [001 7] Information metering, software rental^ various pther ajF^lic^tions could ateo be implemented with an SPU- 
based system^ vMc^/could authenticate usere and mpnitpr and aa^nt for tiieir use and/dr purchase of content, while 
securing conf idjential irifprmafon from unauthorized i access jthrbUgjfi policy apprcpriafe to the specific 

application,.. \ % . ^ . . ( * , ._,......„.. . Vj ( --. V, Z- > t - ' / ' 

[0018] This pay- as- you-go option^ is an incentive to intof matibn pr<&b6rs to P^bducfe jarodticte, as if minimizes piracy 

AO by authenticating the ier;sJnrti^ ; apcess tp the system;, Securing the r^istte^ subsequent 
use, thereby giving srKjiiser^^ the product w'rmoutY^eated ai^brizatibn: ■ ' ' , 

[001 9] Other aspects and advantages' of the present ihventipn wili bedprrte apparent from the following-description of 
the preferred embodiment taken in conjunction with the accorr^n^ng dr^ by way of 

example, the principles pf.Jhe invention. j( .' ^ . . ? ' . t . 

3. BRIEF DESC RIPTION OF THE DRAWINGS. ; . . ' 

[0020] "'*.. , J ['\ ' . , ... ' . ' .. ' r Jz ; % . V 

so, FIG. 1 is : a simplified block diagram of the apparatus in [ accordance ^with the presemlnventiw, show the Secured 
Processing Unit (SPU) for performing POPS. * " ! " r . ' ^ 

FIG. 2 is a simplified block diagram of the Power Block shown in FIG. 1 . , . % 

55 FIG. 3 is a schernatic representation of the Silicon Rrewall. 

FIG. 4 is a schjematic representation of an ern^iment;of the Silicon Rrewall shown' in FiG. 3. 
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FIG. 5 is a schematic representation of an alternative embodiment of the Silicon Firewall shown in FIG. 3. 

FIG. 6 is a block diagram of the System Clock shown in FIG. 1 . " *' 

FIG. 7 is a schematic representation of the Ring Oscillator shown in FIG. 6. 

FIG. 8 is a block diagram of the Real Time Clock shown in FIG. 1 

FIG. 9 is a flowchart of the firmware process for performing the Inverting Key Storage. 

FIG. 1 0 is a schematic representation of the Inverting Key Storage. 

FIG. 1 1 is a block diagram of an entixxiiment of the Metallization Layer Detector shown in FIG. 1 . 

FIG. 12 is a schematic representation of an alternative embodiment of the Metallization Layer Detector shown in 
FIG.1. 

FIG, 13 is a schematic representation of a second alternative embodiment of the Metallization Layer Detector 
shown in RG. 1 . „ 



FIG. 14(a) is a flowchart of the firmware process for performing the dock integrity Check. 
FIG. 14(b) is a flowchart of the firmware process for performing the Power integrity Check. 
25 fig -i 5 j S a flowchart of the firmware process for performing the Bus Monitoring Prevention. 
FIG. 16 is a flowchart of the firmware process for performing the Trip Wire Input 
FIG. 1 7 is a flowchart of the f irmware process for performing the Software Attack Monitor. 
FIG, 18 is a flowchart of the firmware process for performing the Detection Handler: 

FIG. 19 is a simplified representation of the stages of the Filtering Process, including correlating the detectors and 
selecting the responses. 

FIG 20 is a flowchart of the f rmware process for performing the filtering of detectors and selection of responses in 
the context of a simple SPU application; in this instance, using an SPU-equipped PCMCIA card as a digital cash or 
; debitcard. > _ 

[00211 A flexible architecture in accordance with the present invention permits extension and customization for spe- 
45 erf ic applications without a conpromise in security. One physical embodiment of this invention is a single-chip SPU that 
includes a 20-MHz 32-Bit CPU. based on the National Semiconductor NS32FVI6 Advanced Imaging and Communica- 
tions microprocessor.^ lacking that chip's Digital Signal Processing (DSP) unit 

[0022J Referring to FIG. 1, the gross features of the SPU architecture are described. This description is not meant to 
. be a literal description o< the SPU layout as somefesrtures have been moved or regrouped in order to gain abetter corv 

so ceptual understanding of the principles underlying the present invention. The SPU's Micro Controller 3 is isolated from 
ail off-chip input - such input regulated by the External Bus Interface Block 9 and the general purpose I/O Port Block 1 
-instead receiving programmed commands via an Internal Data Bus 10 from the on-board ROM Block 7 In one 
embodiment, the ROM Block 7 is configured at 32 KBytes, and the battery-backed RAM Block 3 is configured at 4 
KBytes. The Internal.System Bus 10 carries ail the major signals among the SPU peripherals, such as the address and 

55 data lines, read and write strobes, enable and reset signals, and the Micro Controller cia^ signal. CTTL 25. _ 
[0023] The System Clock Block has a programmable internal high-frequency oscillator, and is the source, through 
SYSCLK 35, for the Micro Controller clock signal CTTL25, which governs ail peripheral functions. 
[0024] The Real Time Clock 5 for the SRU follows the IEEE 1212 standard, which specifies control and status register 
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architecture, and which builds upon and significantly enhances the UNIX time format (LlNiX ti ne'beirig the number of 
seconds elapsed since January 1 , 1970). The Real Time Clopk 5 is implemented through a binary ripple counter which 
is driven via RTCLK 29 by an off-chip external 32.768 KHz quartz crystal 14 in conjunction with RTC Oscillator 14 cir- 
cuitry. Through an offset in battery-backed RAM .8, for example, the Real Time Clock 5 provides UNIX time, and can 
5 implement a host of time-based functions and time limits under ROM Block 7 program control. One firmware routine 
stored in the ROM Block 9 cross-checks the System Clock 2 and.Real.Time Clock 5 so as to overcome tampering with 
the latter. 

[0025] The I/O Port Block 1 is a general-purpose programmable input/output interface which can be used to access 
off-chip RAM, and meet general I/O requirements. Off-chip RAM (not shown) would be typically used for information 

io that cannot be accommodated internally but, for security and performance reasons, still needs to be closer to the SPU 
than main system memory or disk storage. This information may be protected by modification detection codes, and may 
or may not be encrypted, depending on application requirements. In addition to serving as a memory interface, several 
signals on this port can be used to implement cryptographic alarms of trip wirdinputs, tf even to zero inputs or keys. 
[0026] The External Bus Interface Block 9 is the communications port to the host system. In one embodiment it is 

is the means for getting the application commands as well as data tdarid from the SPU, and is designed to match the ISA 
bus standard requirements. 

[0027] The Power Block, 13 switches between system and battery power depending on system power availability. 
Power from an external' battery (not shown) is supplied to the RTC Bfobk S; tfie ^ RAfA Stock 8 and a Status Register 1 1 
through VPP 24, as well as off-chip RAM (nor shown) through VOUT 23 when system pbwer is not available. The Power 

20 Block 1 3 also provides signals fWRGD 27, DLY_PWRGD 26 and CHIP JPWRGD 28, which, respectively start the Sys- 
tem Clock 2,'reset the Bus Controller 4 and enable the isolation of the biatterV-baCked parts 6i the circuit from the non- 
battery backed parts through i the Pow.ec Isolation . 12. : . t . „ 
[0028] A SHicon Firewall 20 protects the internal circuitry from any external asynchronous or otherwise anomalous 
signals, conditioning the inputs from the I/O Port Block 1 via. PIN. linos 32 or the External Bus Interface 9 via 

25 ADDR/DATA lines 33, the RESET 30 to the Bus Controllear 4, as welf as frdm a" hosVof" security detectors. Some inter- * 
nally generated signals, such as the output of the Real Time Clock 5, are, similarly conditioned. 
[0029] The Status Register 1 1 is the repository of all hardware detebtor signals arrayed through the device to detect 
various attempted, security preaches. Detectors may include a Photo Detector 16. Temperature Detector 17, Metalliza- 
tion Layer Detector 18 and any Additional Detectors 19 (represented in ghost), for'exarhple: high/iow voltage detectors, 

30 vibration detectors, sand detectors. Each of these detectors may convey one or more bits of information which, in one 
embodiment, are stored in the Status Register 1 1 . The Status Register 11 rnay also store internally generated signals,* 
such as the ROLLOVER 34 signal from the Real Time Clock 5 and the Valid RAM and Time (VRT) bit used to verify 
the integrity of the information stored in the RAM Block 8 and the time counter in the Real Time Clock 5. 
[0030] In one embodiment, a DES Engine 6 is provided as a cryptographic engine to encrypt and decrypt data using 

35 its DES algorithm. Alternative embodiments of cryptographic engines may be implemented entirely in hardware or in a 
combination of hardware and : software, and. may use ptheir aypto(<^i^ including RSA or secret algorithms 

such as RC2, RC4, or Skipjack or combinations thereof, the DE$lEn]gihfe 6 receives keys and data for the crypto- 
graphic process from the RAM Block 8 under the control of the Micro Controller 3. The data USed could be application 
data supplied from the External Bus Interlace 9 or protected data from the RAM B|c>ck 8. Tne DES Block 6. in one 

40 embodiment, performs a decryption of a 64-bit block in 18 clock cycles. Thdsi with W SPtTrated at 20 MHz, a single 
decryption will take approximately 90 ns, which amounts to a decryption rate of 8.9 Mbytes per second. 
[0031] Typically, the SPU receives "messages" in encrypted form. The cryptographic engine (ag. tiESErtgine 6) uses 
. keys, for example, "session keys" specific to a particular application transaction or "session". The cryptographic engine 
is thus used to encrypt or decrypt the messages, or perform other <*yptogrdphic operations as is well-knov/n in the art. 

45 !n addition to providing secure message>ansfer, the SP U also provides secure key transfer. By having, or indeed even 
generating a "master key" internally (ufjng any of the well-l^qwn key generation t for public or secret key 

algorithms), the SPU can receive session Keys in encrypted form and,, treating thje'm like' messages, decrypt them with 
the cryptographic engine using i the m^Wj<e^ Conversely, the'SPU can eHc^'4^ ; s e,: ^ hiessages in a secure man- 
ner. The master key the decrypted se^i^^ (e.g. the encryptiorVdecryption algo- 

50 . rithn^) a/e stored, in, secure rewrit^ ^ * ! ; * 

i Power BjpcH^. . *■". [,- t \ I ' ,/V ,\ ; 

[0032] the security Requirements of the SF^CJ imp^^spe^i& ^uTrements on the power supply. As the Real Time 
55 Clock 5 is used to maintain accurate time and the ftW 8is Usedt6 store ^ rnaintain inforrnatiph, both for the field life 
of the product, each must have a continuous 1 source of pweCVPP 24, which here is supplied by the Power Block 13. 
[0033] Referring now to FIG. 2, the battery VBtAT 21 and system VDp 22 yoltages are supplied to the Power Switching 
Circuit 101. This circuit uses a conventional analog OTmparator to determine the higher of the two voltages, VDD 22 
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and VBAT 21 , and provide such voltage as VPP 24 to the internal circuitry and as VOUT 23, which could be used as a 
voltage supply for off-chip RAM, for example. The Power Switching Circuit 101 also provkies a PWRGD 27 signal, which 
is used to indicate whether the entire SPU chip is powered through VDD 22 (the high state),, as opposed to only the 
battery-backed sections being powered via VBAT 21 (the low state). In one embodiment. the f fhreshoid for this switch is 
5 when VDD 22 exceeds 1 .2 times VBAT 21 . If the external battery is dead, VBAT 21 is effectively zero, and PWRGD 27 
goes high as soon as VDD 22 is turned on. ' , 

[0034] The PWRGD 27 signal, as not originating from the Internal Data Bus 1 0, would represent a security risk within 
the circuitry inside the Silicon Firewall 20 ; if left untreated. However, unlike other signals that are passed through the 
Silicon Firewall 20, PWRGD 27 is used to start the System Clock 2, as discussed below, and thus cannot be condi- 
70 tioned and synchronized by the Silicon Firewall 20 in the manner those other signals are treated. Thus, the Power 
• Switching Circuit 1 01 conditions the PWRGD 27 signal by a low-pass filter, which acts as a "glHtch eater" to prevent any 
rapid changes in the resultant PWRGD 27 signal and give it a sufficiently narrow bandwidth as to admit to the internal 
circuitry. 

[0035] Two counters, PWRUP Counter 102 and PWRDN Counter 103 are provided to produce DLY_PWRGD 26, a 

15 delayed version of PWRGD 27, as clocked by the system clock CTTL 34 signal. These counters may be conventional 
devices as is well known in the art In one embodiment, this DLY„PWRGD 26 signal is used as an input to the AND gate 
/ 31 incident to the Bus Controller 4,. as shown in FIG. 1, thus assuring the SPU is always powered up in the reset state. 
The DLYJ=»WRGD 2$'and'pWRGD 27 signals are combined through an AND gate 114 to produce another signal. 
CH!P„PWPQD 28. ., .\ 

20 [0036] The QHIP^RWRGD 28 signal js provided to prevent current flow' from the battery : backed circuitry to the rest 
of the circuit that is not powered when the system power VDD 22 is removed, and thus allow for the orderly shutdown 
of the non-battery-backed sections. This signal acts as an early deflection system for the system power going away. 
Referring to FIG. 1 . the.CHIP_PWRGD 28 signal is used by the Power Isolation Circuit 12 which isolates the inputs and 
output of the Real Time Clock 5. RAM 8 and Status Register 11 from non-battery-backed sections of the chip. 

25 CHIP^PWRGD 28 is conditioned in the manner of the Silicon Firewall 20 described below; this process has the added * 
advantage of preventing any-invalid writes to the RAM 8 or Real Time Clock 5 when the power source is being switched. 
[0037] As deserved above, the PLY _PWRGD 26 signal may be used as a reset. However, if the PWRUP Counter 1 02 
is powered up in the wrong state, it may affect the reset operation of the rest of the device/The state machine in 
PWRUP Counter 102 could power-up in a state of continual reset owing to the dual requirements of powering tip without 

30 reset, and delaying the stoppingof CTTL 34 clocking upon power down. To overcome this problem, a separate analog 
circuit VccPUD 1 04 is provided,. with inputs SET„PWUP 1 1 0 and CLR.PWUP 111. which respectively, set and clear the 
output VCCPWUP 107. The V^PUD 1 04 circuit also monitors VDD 22 such that VCCPWUP 1 07 will also clear if VDD 
22 falls below approximately 2V In this embodiment, VDD 22 js supplied by the Power Switching Circuit 101 via VREF 
115. 

35 [0038] The operation of the PWRUP Counter 102 and PWRDN Counter 103 in conjunction with V CC PUD 104 is thus 
as follows. On power up, until the system power VDD 22 comes up above 1 .2 times VBAT 21 , VCCPWUP 112 acts as 
a reset to PWRUP Counter 102 and PWRDN Counter 103; afterwards PWRGD 27 and consequently VCCPWUP 112 
will come up, triggering the start of the PWRUP Counter.102. Sevsn clock cycles later/as clocked by CTTL 34, the 
DLY_PWRGD 26 and CHIP^PWRGD 28 signals will go high. Conversely, when VDD 22 comes down, before it dips 

40 below.SV, it will drop be!ow~1,2 times VBAT 21, thus PWRGD 27 will.go low, starting the PWRDN Counter 103 via 
inverter 108. Eight dock cycles later, the PWRDN Counter^ will trigger the SHUTDOWN 113 signal, which will acti- 
vate CLR^PWUP 111, causing -VCCPWUP 112 to go low, resetting the PWRDN Counter 103 via AND gate 107 and 
the : PWRUP Counter 1 via inverter 1 09. Thus, if the PWRGD 27 signal is lower for longer than seven clock cycles the 
. entire device is resst as if power has been completely removed. This delay takes into account transients in the power 

45 supply where VDD 22 goes high but dips below 2V briefly before returning to an acceptable level. 

ii. Alarm Wake U ra. 

[0039] One embodiment of the present invention disables detection capability when the SPU is ruining on battery 
/so , power VBAT 21 only. In an altssrnative ornbodlment, in the absence of system power. VDD 22, non-battery backed parts 
of the SPU are temporarily powered, through. VBAT 21 . As presented in ghost in FIG. 1 , if any detector triggers a sig- 
nal, the OR gate 39 would send an AU^RM 38 signal to the Power Block 13. \ ,'. 
[0040] With further refarenceto FIG. 2. if VBAT 21alqnev«ssirffidently high to power the 

if ied Power Switching Circuit, 1 01 , wouW upon triggering by the ALARM 3ft signal: (i) generate a PWRGD 27 signal 
55 much as seen before; (ii) generate e Raw signat APWRGD 40, to indicate that the SPU was operating under alarm- 
triggered "emergency" power; and (iii) switch VREF 1 15 from VDD 22 to VBAT 21 so as not to interfere with the power- 
ing up process. In the continued absence of adequate VDD 22, a SLEEP 41 signal received by the Power Switching 
Circuit 1 01 would make PWRGD 27 and APWRGD 40 go low, switch VREF 1 1 5 back to VDD 22. and so trigger a power 
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down mucft.as seen before. 

ill. Silicon Fi rewall. . . , i r . ^ . 

5 [0041 ] A common assumption, when defining a security 'model, is that everything inside & system is protected while 
everything outside is not protected, jn any effort to plan for security features, it is crucial to establish a clear understand- 
ing of the system boundary and to define the threats, originating outside the boundary, against which thb system must 
defend itself. In the case of the SPU, the system boundary is thereon boundary, or equivalency, the pins of the SPU 
package. The components inside the system boundary kre of two types: those responsible for maintaining the security 

10 of the system; and, those responsible for performing ^ o^erlfurictions. Separating the two types of components is the 
' boundary called the security perimeter/ with the £re§ b€^ween the ^ecuritj perimeter and the silicon boundary called 
the silicon firewall. The silicon firewall's role is thus td defend the security perimeter. One aspect 6f this role, for exam- 
ple, is to prevent asynchronous inputs from outside the security perimeter reaching inside untreated; such inputs may 
drive the sy^em imo unpredictable and" uncOrttroifabie states: ' ' ^, . 

75 [004i] Trie Micro Controller Z k onk of thje ^a^Wu^ted cxjmpwnerits Tn the SPLJ, precisely becauselt is difficult to 
verify" all the murtitudinous >fef§si of a rtiicrb enroll er? '^ns^ueniy; the Micrb Controller 3 in a SPU should be pro- 
: tected from asynchronous or otherwise abWofrf^rinputeri.e.; Phils' which' are outside We normal operating mode of 
the Micro Controller 3. Examples of "abnbrmial inputs are signal which have disallowed input levels (e.g.', signals which 
have neither valid high nor valid low logic levels) and signals which have timing transitions whferi are out-of-specifica- 

?p lion. Not onjy dp input iigriBSi ^6rn^[^ t^' $PU n^ treatmerrt, but all iiitemai signals which are asynchronous to 
the Micro Contrdler rn^ 1 b 7 " L ' 

"? [0X>43] , A commonlec^ is^fo equip alf inputs to a semiconductor 

chip with Schmitt trigger devicW; coupi^with ^ signals fcaftribt change state 

while they are being" siun^led by the semkxincludor chip." However, it is difficult to ^ricate 1 ^hrnitf triggers. Further- 

25 more. Schmitt triggers are Stiw because oThy^eresfe effects. The SPU' according to the present invention uses a "Sil-' 
icon Firewall" d&gn to ^ 

a.state machine. FIG. 3 shows one e^^ which £ould be used as a Silicon Firewall. State 

machine 71 0 comprises a datsi register ^th^state of whfch is controlled by a clock 71 4. in this embodi ment, state 
machine 71 0 operates as afour t-State machinyf During any time othet; : thkh t1 , data is Ifacked out of data registers 71 2. 

30 In t1 /input date "(if available) is latched into arrjnputpdrt 716 of data register 71J2. However, d&ta it not available to the 
output port 717 of data register 712 until t3. Cons^u^ntly, any metastable states of the input data are nullified by the 
. two t-cycie delay. * ^/ " 

[0044] FIG. 4 shows an embodiment of a data register 72b which can be advantageously used in state machine 71 0. 
Register 720 comprises two D flip-flops 722 and 724 v The output terminal 726 of flip-flop 722 is coupled to the input 

35 terminal 727 of flip-flop 7i4*. Aclock signal is&ht tbtheclock terminals 728 and 729 of flip-flops 722 and 724, respec- 
tively, along line 730. \ r\ . y 

[0045] When an external signal, which is generail^4syrohronbus, is Spplied to the input terminal 732 of flip-flop 722, 
its state (high or low) is iiatchecl ihto flip-flop 722 only at the rising edge- of the first clock pulse. This state is kept the 
1 same until the rising, edge of the second dbbk ptitei As a result, the "output signal at terminal 726 of flip-flop 722 

40 remains at the same s6te from th^ rising edge of the second clock pulse, 

regardless of the state of the ihput signal between the two rising edges. ;r: : : ; ; ^ 

[0046] the state of th$6utpui terminal 726 of fi^fibp 722, which cbrrespbrds to rising edge 

of tfie first clock pulse. ^ Cdrisequ^itly, the output 

terminal 734 of flip flop 724 wilf have a state equal to the state of the exterr&l serial atthe rising edge of'an earlier clock 

45 pulse. 

[0047] It can be seen from data register 720 that the input is sampled at a time determined (i.e.. synchronized) by the 
clock pulses. In addition, any abnormal signal is filtered by flip-flop 722. Consequently, the signa'connected to the 
embedded controller is a normal and synchronized signal. 

[0048] FIG. 5 shows an alternative $m£>bdirhertt of a data register 740 ! which can be advantageously used in state 
so machine 710. Data register 740 consists of a rtiulfiplexer 742? stti flip fiop 744, a buffer 746, and a device 748 for gen- 
erating a clock signal having four t-statesTn response to ah input clbc*?st9riar online 750. The output of multiplexer 742 
is connected to ttie input of D flip flop 744, and the output bf D fli£ f Idp 744 is connected to the input of buffer 746 and 
one of the input terminals of multiplexer 742 ihe other fermihal of-multiFflexer 742 is connect to an external signal (typ- 
ically asynchronous). Device 748 generates .a cldck signal on line 752 which cohtrolis multiplexer 742 such that the 
55 external asynchrorious signal on line 758 is cuupledW 0-fiip tlop 744 onfy'at tirite t1 . Device 748 also generates a clock 
signal on line 754 which controls buffer 754 such that the output signal of D flip flop 744 passes through buffer 746 only 
at time t3. As a result, the signal on line 756 is synchronized. 
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iv. Internal System Clock . _ 

. [0049] A system clock compatible with PDPS faces a series of design considerations: cost, governmental regulatory 
compliance, printed circuit board area, power consumption and last, but most important, security. The desire for high 

5 performance places a premium on clock speed, which is directly proportional thereto. 

[0050] The cost of clocking circuits increases with frequency, and external clocks may represent a sizeable fraction of 
the entire manufacturing cost. The greater the physical extent of the high-frequency circuitry, the greater the high-fre- 
quency EM emissions, resulting in both a problem for security as well as meeting FIPS 140-1 requirements. EM emis- 
sions can give surprising amounts of information to sophisticated attackers - by analyzing the power spectrum, one 

w "might even deduce which type of algorithm is being processed at any particular time. As compared with an internal 
clock sitting right on the microprocessor, an external clock coupled. to a microprocessor cannot be made to comply as 
easily with the FIPS 140-1 EMI/EMC requirements which impose limits on EM emissions. External clocking arrange- 
ments can use significant real estate on printed circuit bbarcis and hence restrict design applications. The desire to 
reduce power consumption favors internal clocks? they can operate at lower voltages than external ones, which have to 

is deal with high outside EM interference; and, they have smaller power dissipation capacitances owing to their smaller 
physical dimensions. Moreover, the presence of an external dock allows a potential chip attacker to manipulate the 
clock speed, a factor which may allow it to foil other security devices. 

[0051] Internal oscillators/of themselves, are not novel structures. One can find a programmable internal oscillator in 
Carver Mead and i ynn runway Intrc&uction to VLSI Systems. Addison & Wesley (i960), pp. 233-236. Another exam- 

20 pie is a phase-locked loop circuit which locks upon an external low frequency reference, as described by Brian Case, 
"Sony & HDL Detail Embedded MIPS Cores", Mjcroprocessor Report, vol. 7, no. 15, November 15, 1993. This outside 
link through an external reference is completely inappropriate in a security environment, however. 
[0052] Referring now to FIG. 6, the System Clock 2 is implemented using a standard 5-dock-^ycie shutdown, 5-clock- 
cycle enable, state machine once a change request has been detected. The Bus Interface and Decoder 151 selects and 

25 decodes three types of signals off the Internal Bits 1 0: the internal system clock signal CTTL 34 which is passed onto . 
Power Block 13 as was illustrated in FIG. 1 ; a StOP.CLK 166 signal to stop the SystemClock 2; and the 4 bit signal 
OSC/REQ 172. representing tfie programmed frequency for the .Ring Oscillator 156 The OSC.FREG 172 signal is 
stored in the Oscillator Control Register 1 52, and is fed into the Change Pulse Generator 153. The STOP.CLK 1 66 and 
PWRGD 27 signals are fed into AND gate 164, the output of which is fed into the Change Pulse Generator 153, AND 

30 gate 165, the set of entry latches 154, the Clock Edge Prohibit 155, and the resets for the O flip-flops 159.....163. Thus, 
when the Change Pulse Generator 153 detects a change in any of its inputs, it generates a pulse 
CHANGEJDETECTED 167 which is latched onto the latch 1 58. The D flip-flops 159.....163 act as a shift register, prop- 
agating the latched signal from latch 158 down the jine in five clock cycles, the clocking generated by RlNG_CLK_OUT 
1 70, the output of the Ring Oscillator 1 56. When the signal has propagated through the last D flip-flop 1 63, it generates: 

35 (i) an OPENJLATCH 168 signal to the entry latches 154 and Clock Edge Prohibit 155; and (ii) a CLOSE_LATCH 169 

- signal to the exit latch 157 and the AND gate 165, thus resetting the latch 1 58. 

[0053] The OPEN„LATCH 168 signal, in conjunction with a high signal from the AND gate 1 64 will enable the Clock 
Edge Prohibit 1 55, which is a bn^shot trigger generating a 3HUTD0WN_CLK 1 71 signal for approximately 1 20 ns. 
allowing a new frequency to be programmed into the Ring Oscinator.156 without introducing transient glitches. At the 

40 same time, the CLOSE_LATCH 169 signal will remain low for one clock cyde, resulting in the output SYSCLK 35 having 
a longer duty cyde for one clock cycle, and then the data in the Osciiiator Control Register 225 will correspond to the 
, , output frequency of SYSCLK 35. M " * . 
[0054] The Ring Oscillator i 56 itself will now be described. To compensate for the wide process vanauons introduced 

" in manufacture, resulting in variances in irxfividual clock rates over a wide range, the Ring Oscillator 1S5 is programma- 
45 We to sixteen different frequencies of operation: 22 MHz, 23 MHz, 24.8 MHz, 26.2 MHz, 27.7 MHz. 29 MHz. 31 .9 MHz, 
34.3 MHz. 37,8 MHz. 40,2 MHz, 46 MHz, 51.2 MHz. 58.8 MHz, 64.9 MHz, 82.2 MHz and 102.2 MHz. The particular 
nature of the Micro Controller 3. as well asi concerns for the operational compatibility with the ROM 7, dictated that these 
' ," nominal frequencies be; divided by two before the signal leaves the Ring Oscillator 1 56 arxl is provided to the Micro Con- 
troller 2 \na SYSCLK 35. ' i\ ■ ."' ' . _ 
so [0055] ■ Referring now to FIG. 7(a), one can see that this aforementioned frequency division is accomplished by the u 
flip-flop 210 whose output is R!NG„CLk_OUT 170. The OSC.FRtU 172 signals are supplied in pairs to one of two 
multiplexers MUX1 204 and MUX2 fcfJS. The output of MUX2 208 is fed to the D f lif^iop 210 clock input and the NAND 
gate 209. The SHUTDOWN_CLK 171 signal is fed to the D flip-flop 210 reset and the NAND gate 209. Blocks 201 , 202, 

203 205 206. 207 are chains of inverters, represented in FIGS. 4(b). 4(c). 4(c), 4(d). 4(e) and 4(e). respectively. 
55 Depending on the state of the OSC.FREQ 171 signals, from (0,0.0.0) to (1 .1.1 .1). asserted on the multiplexers MUXt 

204 and MUX2 208, the results yield an effective circuit varying in the number of inverters. In FIG. 7(b) a chain of 8 

inverters 211 .218 is shown, each connected to VPP 24 through capacitors 219 226. These capacitors act to 

swamp all routing capacitance through the circuit. Similarly, FIG. 7(c) shows the corresponding 4 inverter chain, with 
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inverters 227 and capacitors 231 .... ,234. FIG. 7(d) shows the 2 inverter chain with inverters 236 arid 236, capacitors 

237 and 238.. Finally, FIG, 7(e) also shows two inverters 239 and 240, but with only a single capacitor 241 attached to 
the output of the second inverter 240. Two inverte'rs'arS required in this last case, because an even number of inverters, 
in conjunction with the NAND gate 209. is required to give the ring a net overall inversion, sustaining the Ring Oscillator^ 

5 1 56. It is the combined propagation delaysthrough all trte inverters; the NAND gate 209 and the multiplexers MUX1 204 

and MUX2 208 which generates the 16 different frequencies of the Ring Oscillator 156 r listed above. \ 
. [0056] . At manufacturing time, the frequency selected is based pn, calibration with an established time standard. This 
standard may be provided by the Real Time Clock 5, or by "i&rr i^_:Ste$" tirne commands tirried and sent from a 
trusted system. Using the Real Time Clock 5 provides, the optimal .calibration input. This calibration is accomplished at 
, to the same time secret keys are installed and can .only be done in the manufacturing mode. The finki set frequency, as 
read from the lowest four bits of the Oscillator Control Register 1 52, is stored in .the battery^acked RAM 8 or some 
other non-volatile memory. Each time the device is reset, or power is allied, the device'assures itself that the final set 
frequency stored in nonvolatile rpemqiy is .correct by using modification detection codes, as described below. If the 
final set frequency iscorrect then it i& loaded into the lowest four bits of. the Osciktor Control Register 225 thus re- 

i5. establishing the optimal operating frequency, of the Ring Qsdl\atoM 56. £ is incorrect, as stored 

in the non-volatile memory, then no value is loaded into the Oscillator Control Register 225! thus teaying it at its reset 
value. Leaving the Ring Oscillator 156 at its reset value, which is the lowe^i programmiflie frequency, ensures proper 
operationof the device even under conditions of non-volatile memory. For Sample, i^ the .internal Micro 

.. Controller clock input SYSCLK 21 6 is never driven git tbb high a frequency, which could lead to malfunction and possible 

20 security breach. . - - • . ... - v . I ., ; . ■ ... - 

v. Real-Time Clock . . ...... 

[00571. For the reasons disclosed above, as well as jan innate temperature vari^ility of about 30% over the SPU's 
25 operating range, the System Clock 2 represents a secure.but somewhat inaccurate timing device, suitable for internal* 
clocking of Jhe Micro Controller 3, but hot for keeping.UNIX time or to MrtroT timed and tirhe-of-day Events. 
[0058] , Referring, to J- !G. 1. the RtCO^Hata 14 ^designed to produce 

use-of an external quartz crystal 15. Alternatively, one could bypass, the KTC Oscillator 14 and generate RTCLK 29 
through an externd .clock, OSGJ5N 4Z allows the oscillator to be stdpped.'eym though battery power is applied to the 
30,,. .device. This prevents drain on the battery, as for example, while the system is in inventory before it is sold. The output 
. RTCLK 236 fromthe RTC Oscillator 241 is used to drive, the Real Time Clock,, as described bellow. 
[0059] Wrth reference to FIG. 8. the Real Time.Clock 5 consists of a binary Ripple Counter 302, a Bus Interface and 
Decoder 301 , and a, Synchronization Block,303. The Rippie Counter 302 may be a conventional shift register array with 
1 s bits allocated to counting fractions of seconds, output via SFC 306, and 32 bits allocated to a seconds counter, out- 
35 put via SC 307. The value of SC 307. when combined with an offset in tfie local battery-backed RAM Block 8, produces 
: the sought-after UNJX time. Thefinal carry-over in the Ripple Counter ,302 produces the ROLLOVER 34 signal. 
[0060] The Bus Interface arid Decoder 301 Werteces wrth the friternal'Bus 10 and supplies the system clock CTTL 
25. the aforementioned OSC^ON 42s$nal. 4nd signals cLEAft-RTC^ and CLOCK.RTC 305. ClEAR_RTC 304 is 
used to reset the Ripple .Counter 302. CL0CK_ftTQ 3Q5 allows the' Micro f^rtrollw 3 to clock the Ripple Counter 302 
. 40 without, resorting to RTCLK 29/ and thus permits testing pf the devic^V / 

[0061] As RTCLK 29 is an external asyncrirbrious signai, the resulting Signals SFC 306, SC 307 %nd ROLLOVER 34 
- need to be treated by the Synchronization BlrjqK.303. in the manner of thS Silicon Firewall described earlier. Thereafter, 
the SFC 306 and SC 307 signal^ may be appropriately channeled through the Internal Bus 10 in response to polling by 
. . the Micro Controller^. The use of the AGO-OVER 34 signal will be distussed in the context of the Rollover Bit dis- 

45 cussed, below. A . ... - t -.i[ 

[0062] In accordance with the,alarm ^ 
, Counter 308 (represented in ghost) is set by the Micro ControJI^r 3 viai counter control signals" sent on the Internal Bus 
1 0, decoded by the Bus Interface and Decoder 301 and tranlrnifted via iiha(s) 3*0: Thus, wheri the Countdown Counter 
. 308 accomplishes a predetermined count as clocked, off the Ripple Counter 302 signals SC 307 or'SFC 306, it would 
so issue an ALARM 38 signal in,the same manner as de^cribdd abgve/ln addition, the ROLLQVER 309 signal, passed 
through QR gate3Q9. may provide the basis ^ anpther wake yp sj^ai via ALARM 38. " 

vi. In verting Kev Storage . X f ' \ , - : ■ t; , : - . 

55 [0063] It is desirable to place secret information (dig. /the decr)^n key) in the volatile, orgeneraily, re-writable mem- 
ory of the SPU. The secrei information will, be destroyed tf power to' the SPU is turned off. On the other hand, if the 
secret information is placed in non-yblatile merr^y, an attacker can rernove the SPU and at his leisure and by conven- 
tional means examine the information in the hoh-v6^atil4 memory. 
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[00S4] If secret information is not loaded into the volatile memory properly, an attacker may still be able to examine 
the SPU while system power is turned off and obtain the secret information. This is because the secret information 
stored in conventional volatile memory may leave a residue on the dielectric material of the SPU," which the attacker can 
read to obtain the secret information even after power is turned off. When the secret information is loaded into memory, 

5 the voltage level of the memory cells causes charge to build up in the dielectric material of the memory cells. If the same 
secret information is placed in the same memory location for an extended period of time, the dielectric material may be 
permanently affected by the charge of the'memory cells. When this happens, it is possible to determine the secret infor- 
mation wen after power is removed from the memory cells: Further, it is possible to artificially "age" the memory cells 
(so that the dielectric material can be permanently affected in less time) by elevating the voltage and changing the oper- 

70 ating temperature of *ie SPU. 

[0065] One aspect of the present invention is an inverting key storage arrangement wherein the secret keys are peri- 
odically inverted. As a result, the net average charge across all memory cells is the same, thus leaving no signature of 
< a specially selected key in the dielectric materia! of the memory cells which would be amenable to detection. 
[00661 1" cne embodiment cf.the invention, the inverting key storage arrangement is implemented in firmware. The 

15 firmware includes a key inverting routine which is executed in a predetermined time, e.g., once every 100 ms. A flow- 
chart 800 which includes a key inverting routine 802 is shown in FIG. 9. Flowchart 800 contains a decision block 804 
which determines if it is time to branch to inverting routine 802. If the answer is negative, programs in the firmware are 
executed (block 806). If it is time tp execute the key inverting routine 802, flowchart 800 branches to block 808 which 
causes all access to the keys to be disabled. The embedded controller then reads the key storied in volatile memory. 

20 The bits of the key are inverted and then stored back into memory (block 810). In order to keep track of the current sta- 
tus of the inversion (i.e., whether the key is in a normal or inverted state), a key-inversion status bit is assigned to keep 
track of the status. After the key is inverted, the status of the key-inversion status bit is changed (block 81 2). The access 
to the key is now : enabled (block 814). Flowchart 800 can now branch to block 806 to execute other firmware routines. 
[0067] It is also possible to implement an inverting key storage arrangement using only hardware. FIG. 1 0 is a sche- 

25 matte diagram of such an arrangement 820, which contains a JK flip flop 822 and a plurality of memory cells, such as 
cells 824 and 825.The structure of these two cells are identical, and only one will be described in detail. Cell 824 con- 
tains two OR gates 827 and 828, a JK flip flop 829, a NOR gate 830. an invertor 831, and a buffer 832. A clock signal 
on line 834 is connected to the clock input of the two flip flops 822 and 829. A Toggle/Load signal (T/L*) on line 835 is 
used to put the cells 824 and 825 in a toggle state when the signal is at a high value and the cells in a load state when 

30 the signal is at a low value. Thus, when the T/L* signal is low, the data on line 839 is loaded into memory cell 824. When 
the T/L* signal is high, the JK flip flop 829 will toggle according to the clock signal on line 834. A read signal on line 836 
is coupled to the enable terminal of buffer 832. The read signal allows the data stored-in4he memory cells to be read. 
The signal on line 836 indicates whether the output on line 839 is the original or the inverted signal. 

35 vii. Additional Se curity Features. . , 

. • [O0S8] . In additions the features described aboye.the SPU can certainly be rendered more secure in any number of 
ways. For example, the physical coating disclosed in application Ser. No. 08/096,537, Tamper Resistant Integrated Cir- 
cuit Structure", filed July 22. 1993, in the name of inventor Robert C. Byrne, and incorporated herein by reference, has 

. 40 a tamper resistant structure laid down in a pattern which would cover portions of the SPU, but expose others so that 
etching away the tamper, resistant structure destroys the exposed portions, thus, the SPU would not be easily disas- 
sembled or rqvers© engineered, because the tamper .resistant structure would .hide the active circuitry and removal of 
the tamper resistant structure would destroy the active circuitry. This physickl coating would act as a natural adjunct to 
the Metallization Uyor Detector (FIGS. 11-13). 

45 [0089] Another security feature that could prove, useful is disclosed in application Ser. No. QSZ . 

"Secure Non-Volatile Memory Cell", filed >1994 . in the name of inventors Max Kuo and James Jaffee, also 

incorporated herein by reference, which has.an EEPROM cell providing protection against external (detection of the 
charge stored within the cell by causing any stored charge to dissipate upon the attempted processing of the cell. This 
type of EEPROM might fulfill the cole of the ROM 7 block, or possibly, even substitute tor the Inverting Key Storage 

•so described eariior (FIGS. 9,10), , ... „ , 

b. Implementati on of the Detectocs. - , - , , s : : 



55 



[0070] If secure information resides in registers or memory of a VLSI device, often an attacker finds it fruitful to remove 
the packaging of such a device to impact such storage, devices directly. This facilitates the investigation of the design 
architecture and makes it possible to probe internal nodes in an attempt to discover the secure information. Such pack- 
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age rerroyki; or de- encapsulation, will thus likely expose the di$ to ambient light, even if inadvertentiy on the attacker's 
part . p^tecin^such. light could act as input information for suitable responsive countermeasiires to take place. 
[OOTtj The. construction of a light-sensitive device can be implemented in many standard CMOS processes without 
any extra masks or steps. For example, lightly doped N-type material exhibits a conductivity proportional to the amount . 
5 of light to which the material is exposed. 

[0072] Referring to FIG. 1 , the Photo .Detector 1 6,signal passes through the Silicon Firewall 20 before setting a bit in 
the Status Register 11. A plurality of such detectors may be placed at strategic places within the SPU. which may be 
used to localize and further characterize the nature of any infrusion. 

w H. Hlph/Low T emperature Detector. 

[0073] The normal temperature operating range for the SPU is 0°C t6 70°e. Any temperature above this range, in 
most applications, might welf be considered to be the result of an intrusion attempt by an attacker, as for example, the 
heat generated by grinding away at the chips outer layer.A substrate diode/Well-knowri to the art, shbub be sufficient 
75 for detecting temperature changes, although any other comparable device known tb those of ordinary skill in the art for 
performing temperature measurement sriouid'suffice. 

[0074] With reference to FIG. 1. the Temperature Detector 17 r sijgriar passes tiirbugh the* Silicon Firewall 20 before 
setting a bit in the Status Register 1 1 . Nothing in accordance with this invention precludes a multi-bit field characterizing 
a temperature scale, or a plurality "of such detectors, to cr^r&cierize ainy terr^ratUre differ^als within the SPU. 

20 t . / ' . ] \ ' "... 

iii. Metallization Laver. . . \. .'V' / T-,. 

[0075] Modern day integrated-circuit ^lysis' equ£ment is able to probe the contents of an integrated circuit while 
power is applied to the circuit. As a resCilt/ if is possible to detecf'a key/ or iitrter secret data for that matter, which is 

25. stored in volatile mfembry. One way to protect the secret key is to : cover the key with a metal layer which is able to deflect 
probing signals direded thereon; Howevesr. this metal layercoiild be removed or altered fairly easily by an attacker. Con- 
sequently, protecting the key through the use of a metai layer, as contemplated in the prior art is rather ineffective. 
[0076] One way to enhance the security of this metal layer is for the SPU to contain mieanslbr detecting any alteration 
of the metal layer which covers the key, or any particularly sensitive debtor that matter. The SPU can then take actions 

3P to respond tb the afteratiori. Orie embodinierit of the invention is shown in FIG. 1 1 . The metal layer is divided into many 
metal traces, shown in FIG. 1 1 as parts 852-857. Each ifcace is connected tb-ah output pin of a latch 860 and an input 
: pin of a latch 862 These two 7 latches are connected to the intern bus 868, which is in turn connected to the Micro Con- 
troller and the memory. They are also connected tb the Status Register 11 Traces 852 and 853 pass over a first area 
864, traces 854 and 855 pass over a second area 865, and traces 856 and 857 pass over a third area 866. 

35 [0077] During a system bus cycle, the individual output pins of latch 860 are driven to'either a logic high or a logic low, 
depending on the value of a random number generator (either implemented in hardware or software). As a result, the 
traces 852-857 should "be set to a corresponding logic "high or a logic row' valua At a later bus cycle, latch 862 latches 
in the logic levels of traces 852-057. jf any of the latched iogid levels dtfferent from the fogic level originally driven 
by latch 860, it is assumed that an attack has been rn<^ >r 

40 [0078] Another embodirflfcVrt of the invention is fehown in FIG. 12. The metal layer is' again divided linto many metal 
traces, shown in IfiGl 12 as numerals 902 : 904. These metal traces are connected to a logic high poteritial. FIG. 12 also 
contains a plurality of AND gate^'shown a£ numerals 906-908, arkf a plurality of memory cells 9t3-916. Each of the 
AND gates 906-908 has bneiriput terminal connected to one of toe traces 902-904and one output terminal connected 
to one of the power lines 910-91 2 of memory cells 914-91 6, respectively. The other terminals of each of AND gates 906- 

45 908 are connected to power lines 909-91 1 , respectively. These pawer1ihes : 909-91 1 could feed off VPP 24, for example. 
[0079] When the rri^al traces are in th^ 

AND gates are in a logic high potential; Thui ail the memory c^lsTare powered by the butpirts of the AND gates. How- 
ever, if any onfcof the metal traces itf removed, the output of the corresponding AND gate will be changed to a logic low, 
which turns off the associkted memory cell. Since the output of air AND* gate is connected to the input of an adjacent 

so AND gate, the output of the adjacent AND gate becomes a logic low, which turns off the memory cell associated with 
the adjacent AND gate. This sequence of events propagates until all the outputs of the AND gates become a logic low. 
As a result, all the memory cells are turned off resulting in the destruction 6f the data stored thevsn. This embodiment 
does not require any action of the Micro Controller and could amount to a last-ditch defense. 
[0080] A third embodiment of the invention is a LATN cell, shown in FIG. 13 as 920. LATN csli 920 is essentially a 

55 latch with a weak feedback path so that any intrusion in the cell will cause the cell to toggle. A control signal on line 925 
is applied to a transmission gates 924 and. through an inverter 926, to another transmission gate 924. As a result only 
one of the transmission gates is turned on at a time/When transmission gate 922 is turned on, a data signal on line 927 
passes through an inverter 928 to outp»Jt inverters 929 and 930: An inverter 931 is connected to inverter 929 in order 
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to provide an inverted output. When transmission gate 922 is turned off, the data signal is no longer connected to the 
output inverters. However, the output signal retains its value because of the feedback provided by an inverter 932 and 
transmission gate 924. . 
[0081] One of the important features of the LATN cell 920 of the present invention is that the feedback inverter 932 
5 has weak output power. Thus, if the LATN cell 920 is exposed to radiation introduced by a probe, the feedback path is 
broken and the output value of LATN cell 920 would not be maintained. 

[0082] In all of these embodiments, the outputs thereof could be used as detectors, as symbolically represented by 
Metallization Layer Detector 1 8, feeding their signal through the Silicon Firewall 20 to the Status Register 1 1 . It should 
not be ignored that the Metallization Layer itself provides a passive defense to probing, as discussed below. 

iv. rtc BoHover Bit and the Clock Int egrity Che ek 

[0083] As discussed above, the Real Time Clock 5 uses a 32.768 KHz crystal to drive a Ripple Counter 248 which 
keeps UNIX time. Were one to replace this crystal with a frequency source several orders of magnitude higher, while 
is the SPU is operating under battery £ower only, one could bbnceivably roil the counter over a predetermined number of 
pulses tp the point where, when system power is reapplied', the Micro Cbntrdler 3 would not be able to detect that any 
discernable amount of time had passed since the previous time it was turned on. The implications for various applica- 
tions is serious, as for example: metering information,' where the time the information was actually used and the time 
subsequently charged for such use would have little bearing on each other. 
20 [0084] Prior art solutions to detect clock tampering have the drawback that they require the entire system to be always 
tip and running; typically, however, in order to minimize power consumption in times of non-use, most of the system is 
powered down whiie the real-time clock continues to run from batteries. Thus, the problem is to create a mechanism 
that can detect tampering of a real time clock without the use cif the external system, such mechanism to be contained 
wholly within the real time clock for security Reasons, and be a minimal drain on the total power. 
25 [0085] In the present invention, referring to FIG. 1 . this problem is solved by the provision of a rollover bit in the Status 
Register 1 1 , set by the ROLLOVER 34 signal. This rollover bit is configured to be read/write mask. i.e. it can only be 
cleared by writing a one to it when it already is set to one. and this write may oniy come from the Micro Controller 3, a 
feature which enhances security. The Rollover 34 signal is generated by the Real Time Clock 5 described above. The 
32 bits of the SC 305 output, as per FIG. 8, represents a carry-over at 2 32 cycles, corresponding to about 136 years 
30 when operating in conjunction with a 32.768.KHz crystal. This is well within the contemplated lifetime of any SPU prod- 
uct. Even clocking the circuit at something like 32.768 MHz, three orders of magnitude higher, were this tolerated by the 
. oscillator circuitry would result in a rollover after every 49.7 days, a long time for a would-be attacker to wait and even 
. then such attacker would be foiled by the rollover bit feature, as a rollover should never occur within the contemplated 
lifetime of the product, as just discussed. Resorting to a second roiiover would not work, as the rollover bit cannot be 
35 cleared by a second carry-over, as just described. 

[0086] This approach has the advantages of its low cost of irnptementetion. the small amount of SPU real estate it 
requires, and its compatibility with a simple ripple counter architecture, yet not inviting additional security risks. 
[0087] The security offered by the FTC Rollover Bit is supplemented by a general clock integrity check as shown in 
FIG. 14(a). The process begins at step 551 by reading back from RAM 8, or some special register, a prior readout of 
40 the Realtime Clock 5 stored by this process 552. A mbnotonicity test is performed by comparing the present time with 
the prior stored reading 553. if the present time is less, a security problem has arisen and is signalled 560 and the proc- 
ess should then terminate 558. If the present time is indeed greater, then it is stored for a future monotonicity test 554. 
Next a fixed benchmark performance test is conducted 553; many of these types of tests are well-known in the art and 
need not be alluded to here. The important thing is that such testtake a given number of system clock cycles, CTTL 25. 
, 45 such length established during production time testing or attentively, clocked at run iime for the given number of 
cycles. At the completion of the benchmark test, the completion time, as measured by the Real Time Clock 5. should 
be stored 556. Thus* the benchmark test dapsed time/as measured by the Real Time Clock 5. can be calculated and 
compared, with the nurrfcer of CTTI. 25 clock cydes. The initial calibration of the System Clock 2, that is. the setting of 
its operational frequency, should provide the necessary conversibn factor between the Real Time Clock S and the Sys- 
so tern Clock 2. allowing such a comparison. As described earlier, the System Clock 2 also exhibits a considerable degree 
of variabilrty.with temperature; thus, the time comparison should take into account some operational tolerance 557. If 
the comparison falls outside this tolerance, the security problem should be signalled 5j59. but in either case the process 
would then terminate 558., / . ..< 

.55 v. VRT Security Bit a nd the Power imearlivJlh^C ; ; 

[00813] The VRT Security Bit is provided to inform the system that both the battery and system power have simulta- 
neously dropped below an acceptable voltage, for example 2V. When that occurs, any volatile storage information, as 
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well the tirrvss.cqunt in the Real Time Cloci 5 may be lost. References to RAM 8 in this context will be deemed to include 
off-chip RAM powered by VOUT 23. Referring to FIG. 1 , the VRT bit may be implemented as a special bit in the Status 
Register 1 1 , with voltage dejection circuitry tied to VPP 24, such as pull-up or pull-down resistors, designed to make the 
bit go low in the absence of sufficient voltage. Thus/the VRT bit is cleared by the Power Block 13, and is only set by the 
5 Micro Controller 3 via Status Read/Write lin^ 36. The vfrr bjt is used in conjunction with rewritable-memory modifica- 
tion detection codes op the RAM 8, to perform an overall int^f rty check on the battery-backed sebtion of the SPU. The 
. . modification detection codes may be any one ,ofan assortment 6t suitable codes, as is well-known in the art from a 
simple checksum, to a cyclic redundancy check (CRC), to^mpre Elaborate aJgarthms such as MD5 owned by RSA Data 
Security, Inc., each affording different ievels of security, corhpactness and errbr recovefability. For example, a simple 
jo checksum, while easy to implement, allows a large degree of freedom for an attacker to overwrite the contents of RAM 
8 while preserving the same overall checksum. Whichever mckiifidatibh detection code is used, the code result is con- 
ventionally stored along wrth the RAM 8 it is measuring. . . 
[0089] With reference now to FIG. 14(b), ty£ general pqwer im^rit^ check brccess 251 will be described. As the SPU 
is powered up, the Micro Controller 3 performs the necessary initialization operations on .the SPU 252. Then, the Micro 
is Controller 3 polls the Status Register 11 to aj^rfain the state of tfie \Mt £$253: if ttie'VF^T bit is sej to 1 ; ;a modification 
detection operation po the FtAM \S : is perjfiprm^j 254. then, the SPU^ermnib k any modification his been detected 
255. If not, the. SPU is said to fcje.in jts n^rr^i [ pjserating state, a^thus sjibujd only/impl^©it comrnands that give 
restricted access to its secret (^25$, ari the jwocess then wjts&7. " " ' ^ j , . , " 
. [0090] if a modification ha§ been ^^e^». the 
20 and the process exits £57,. . 11. ... : - ... ./^ 

[0091] If the VRTbit is setto.Qi a moc^ If no rm^ification is detected, 

. the SPU is in a secure, albeit low pqwer state; in other words, ahhough the RAM 8 ^eSerrtly checks out, the power can- 
not be trusted and so this proWerp. should bejsignalled 261 and the process exits 257. ' .1 
, , [0092] Finally., t^ere is the sc^pgrio where modiflcatioh was detected, yet VRT is 6 - this r^iffc|tidn detection is 
25 spurious as the ; RAiyi;4 )s in i r^rrigm configuration, i.e. it is said to* bei in ^e^nufarturihg state, the following is a* 
description of a response taken in; one errtxjdiment of this inversion, and should not be riatf to preclude any number of 
possible resppnses ip thi^stete/ ln ^is one erf^imert.' the. S could zeroiz"e iall secret data areas and use the 
default" operational conf jguration parameters! such as the loWest System Clock 2 oscillator frequency, stored preferably 
in the ^OM 7/to operate inVthe rpost tr^fy^rthy state 262vThe SPU then could enter a rnode whereby rhanufacturing 
30.' .tests may be performeql arjd the conf iguratipn parameters may be set 263. then, any rhanufacturing tests may be per- 
'." . ■ ■ formed in order to guarantee the reiiabiiity ( pf the SPU 264. Once those tests have been made successfully, the secret 
, : data, such as the keys, may be loaded, and a mc^tfication [ detection bbde performed on the entire contents of RAM 8 
V. and stored therein £65. Finally, the SPU will set j^e VRT bit tp 1, putting it into the normaj oiperating state 266, after 
which the process may exit 257. 

vi. Bus Monit oring Prevention. , ; ( ^ 

[0093] With PDPS one is concerned with' pr^e^ng secret Wdrmatibn which, among other objectives, implies thwart- 
ing any attempt to mon^ tfis irrte,^ information; It is axiomatic that a device incor- 

.40 porating PDPS must have inj^ : $hd output ports,' tatahg in ctetaVp^rming operations on this dat$ using the internal 
secret information and th$n putputting ^ j*ie rebuffing data, ff an ihtegratiBCf circuit could tie' aitered in such a way that the 
secret infjymation contained in ftje device equate e^cted thrpugh an input or 'output port or if a random failure 
within the device causedjhistq happen, then the PbPS' system wbuW no longer be'secura '* J 
[0094] Prior solutions fbr keying sw^^ 

.45 of a single integrated circuit chip, thus preventing an interloper with asuttfcrd evaluation tools from rhonitor ing inter-chip 
. . data traffic and thereby discerning the secret ipfornitiori^ This i^inernerlt ^approach Yi^uired "a high degree of chip 
* integration, in order that all functions needing the secret inferrrfetioaare implemented on the same pi^ce of silicon. Also, 
input and output pork qf these jnte^ated, circurts would njeed to be disafcrfed while secret infcfrmatibn was being inter- 
. nally transferred. . , . : , - r . . \ . . . t " 

so. [0095] t the prior solutions relied on the difficiifty ih.rrwdilfying already cgrnpiete man^c^fed integrated circuits. This 
is no longer the ca§e. as semiconductor evalimtion tools have drastically im^pvecl in their sophistication and capabili- 
ties. It is now possible to modify parts of an integrated drciiit Withoixt dSmaging tjie other parts or the chip s overall func- 
tion. Thus, a device which would keep its secret information on internal buses oniyi dould now be modified to transfer 
that information to its input or output ports. This is a lot easier to implement than creating specially-made probes to tap 

55 into the internal bus. It should be repeated that even random failures within an integrated circuit have been known to 
result in a similar scenario. In both cases, therefore, monitoring the input and output ports would allow the secret infor- 
mation to be determined. . * r 

[0096] The basis on which to combat' this problem, in the present Invention, is to create a mechanism internal to the 
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chip that verHies that the original design of the input or output circuitry has not been modified t>y either an attack or ran- 
dom failure, before bringing out any secret information onto the internal bus. This is accomplished by interrogating crit- 
ical circuit components to ensure that they are intact and functioning correctly. The detection of a security breach could 
thus be acted upon accordingly, but at the very least, the bus should be disabled from bringing out any secret informa- 
tion. Also, the secret information should be brought out in several pieces, which has the virtue that, were a random hard- 
ware fault to occur precisely when secret information was brought onto the internal bus, then only a small and probably 
useless portion would be compromised. 

[0097] The SPU contains ports that allow data to be transferred from an internal secure bus to external buses. The 
implementation is brought about, in one embodiment, with special circuitry that is added to the input/output ports and 
special routines in firmware that are executed by the internal Micro Controller. The internal Micro Controller keeps an 
interna! copy of the last data written to the output register of that port. The internal Micro Controller reads the contents 
of both the input and output registers; typically only the input registers can be read by the internal Micro Controller. 
Before bringing secure information onto the bus, the Micro Controller interrpgates the port to fensure that the last valid 
data written to the port is still in place; otherwise, the Micro Controller does not bring secret information onto the bus. If 
valid data is in place, then a portion of the secret data is brought onto the bus and transferred internally as necessary. 
The pert is again chepked to ensure that valid data is in place in the input/output port's output register. If the secret data, 
or any other data, isdetected in the ports then the Micro Controller does not bring any other secret information onto the 
. bus. This is continued until ail secret information is transferred to its internal destination. 

F0C98] It should be noted that the use, or non-use, of the Bus Monitor is a process controlled from firmware. Referring 
to FIG. 15, this process shall now be descrfoed in detail. Upon the Start 320, the Micro Controller 3 determines whether 
secrot date needs to be transferred onto the Internal Bus 10 in step 352. If not, data may be transf erred on the Internal 
Bus 10 in the conventional manner 353. If. secret data is to be transferred on the Internal Bus 10, the Micro Controller 
3 rea& back the output port registers 354, and stores them in temporary storage 355. In one embodiment, before 
secret data is moved onto the Interna! Bus 1 0. non-secret data is sent over the Internal Bus 10 as a test 356. The output 
port registers are again read tack 357, and compared with the previously stored read back 358. Should they prove dif- 
ferent, the process aborts andsignals the security problem 325 and exits at step 362. but if they are the same, the proc- 
ess may proceed as part' of a loop, to determine whether, any and atl parts of the secret data have already been 
transferred on the Internal Bus 10 in step 359. if not, the next part of the secret data is moved on the Internal Bus 10 at 
step 360 and then the process loops back to step 357 to read back the output port registers again, tf all parts of the 
secret data has been transferred, the process loops back to step 352 to control further data transfers on the Internal 
Bus 10. 

[00991 This approach has the virtue of relatively low cost implementation, without any special semiconductor process- 
ing. H also guards against combined physical and electrical attacks, as well as random failures. This system, by being 
implemented in multiple blocks within the integrated circuit, in conjunction with firmware operated by the Micro Control- 
ler, would be expensive and difficult to reverse engineer. . } . 

viL Trip Wir e Input 



the Bus Monitor Prevention, may be addressed through monitoring of just these pins, providing cryptographic alarms or 
trip wires to just those Wrd c? attacks. An attacker may be monitoring any givenpin, to determine its functionality. The 
PiNs 32 of ths I/O PortJ, being programrmWe, are ideally suited to detect any such unexpected read or writes. Fur- 
thermore, they may be used not only to detect an attacker.usurping these PINs 32. but may also be used as inputs from 
off-chip artsrnal detectors, such as a battery of photo detectors arrayed inside a PCMCIA card. 
[0101] With reference to FIG. 16, the process that begins at step 401 will now be described in detail. A given bit. the 
Xth bit. on the I/O Port 1 is set to a 1 402. The process waits until the operating system has determined it is time for the 
I/O Port 1 to be checked 403. This should take into account, for instance, when such pin needs to be used for regular 
I/O operations. When such time arrives, the Xth bit is read 404 and checked if rt is still a 1 405. If so, the process may 
return to its wait state at step 402.Otherwise. the process aborts and signals the security problem 406 : and the process 
exits 407. .. . . . 

vtii. S oftware Attack Monitor, , , , 

[0102] One of the (east expensive ways to defease security system in a hardware device(which may contain a plu- 
rality of components such as 3 microprocessor. PAL's. etc.) is to mount a random data electronic attack on the hardware 
device. Specifically, an attacker could send signals (which rray be commands, data, or random signals) to the input pins 
of some of the components in the .device and monitor the output pins of the same and/or different components. This 
kind of attack requires little or no special hardware, and the attacker may be able to learn confidential information con- 
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tained in or protected by the hardware device. 

[0103] . A;typicai attack strategy is now described. An attacker would monitor the hardware ahd software operation of 
the components for some period of time during normal. operation. As a result, the attacker could determine the normal 
command structure of the programmable components in the hardware device. The attacker would then create his/her 

5 - own command sequences (e.g., by slightly modifying the commands or the command operators, or even creating 
entirely different commands) based on tKe information obtained. The.reaction of the components to these command 
sequences is then recorded, as thus building up a "characterization database." As the operation of the components 
becomes understood, the signals sent to the components are rib longer random but are designed to identify commands 
that could defeat the security of the system. '"" ' . ? 

jo, [01 04] It can be seen from the above attack strategy that the components m the hardware' dievice, including the micro- 
processor, will receive a large number of invalid commands, at least duringthe ihitiarphase of the attack: Consequently, 
one aspect of the rir^sent invention is for the SPU to detect the occurrence bf ah excessive number of Invalid commands 
and to take appropriate iactidns to defeat or hinder the attack! One should bear in mind that some -perfectly innocent 
functions generate a series of invalid commands, as : for example, when a* computer upon boot-up interrogates all 

is peripheral devices arid ports to determine rf they j are pr^ent and artivk '^^'''' ^ 

[0105] One means by whfth to measure an "'excessive ? nurrk^er" of wivaltd commands is to determine the number of 
invalid commands per unit time. The appropriate time unit cari be determined by: (1 If the rolfovertirhe of a counter driven 
by an oscillator, such as RTCtK 29; (2); a predetermined number bf ticks dtfttie' Refcl TTrhe Clock's; or (3) a software 
timing loop. H the numper of invalid commands^ 

'20 priate action will be tak6n by th$SF*U: \ : ' '* 'o-o^ . .: 

IdlOSj In some srtu^trohs, it may bfe preferable for the SPU to set iseveraJ timh ^r&imeters, each having an associated 
action. FiG. 1 7 contains a Itowcihart 940 which includes four iinSit parameters: Notd'that'the number of limit parameters 
is illustrative only, arid iany number of limit ^rameterS rnay be uski? Thfe f 1^ 

values of each of the four limH ; parameters 942, Thevlowch^t thert brarrches ihfe 946-966. 

is [0107] In block 946,.the SPU d^termihes whether a cdmmar^ isWlid? If ^ is valid/ it is processed in the 

* regular mahne^r (block 948). the flowchart thenbrahches ba:ck to block 9461b fetch and examine atratlter command. If 
the cqmmapd is not vsiftd;; flowchart goes to block 950; wtiich caiauliat'es the number of invalid command per unit 
time, .the result of ihd calculation is conTbarecJ with the first limit parameter (block 952). If the result is less than the first 
limit parameter, then no Sniper-reactive actioh is taken, and the fUftvchart branches back to block 946 to process the 

30 i next command. If the result is larger than the first limft p^arheter; the'process generates a signal indicating a first level 

. ,. security problem (block 954). 

[0108] The f lowchart then branches to block 956, which compares the numbier of invalid commarids per unit time with 
a second jimrt parameter. If the number is less than the secbrid iimitparameter, then no additionaf action is taken, and 
flowchart 940 brandies back to block 946 to process thfe next' command then.' If the number is larger than the second 

35 limit parameter, the process generates a signal indicating a second level security problem (block 958). 

[0109] The flowchart 940 then branches to block 960, which compares the number of invalid commands per unit time 
with a third limit parameter. If the number is less than the third limit parameter, no additional action is taken, and flow- 
chart 940 branches back to block 946 to process the next command, If the number is larger than the third limit param- 
eter, the process generates a signal indicating a third levers^tn-rty ^rdDlem (block 958). 

40 [0110] The flowchart 940 thfeh branches to blb^ 

with a fourth limit parameter! if the number is less than the fourth limrf pkarrfeteY, no^ddrrJonairaction 1 is taken, and f low- 
chart 940 branches back to btobk 946 toVobess the next romm 

eter; the process generates! a signal indicating a fou^ ^ • . 

[01 1 1 ] It is of course up io the supervisory program to decide what steps-tb take in respons&lo Signals of the various 
45 limit security prpWerns. The SPU can be programmed to take any or all appropriate actions: " v > } < < * 

c. Programmable Security. 

[0112] The Programmable Distributed Persbnai Security System is bksed on the orchestration of three conceptually 
so distinct, but nonetheless, interrelated systems: (i) detectors, which alert the SPU to the existence and help characterize 
the nature, of an attack; (ii) filters, which correlate the data from the various detectors, weighing the severity of the attack 
against the risk to the SPU's integrity, both to its secret data and to the design itself ; and (iii) responses, which are coun- 
termeasures, calculated by the filters to be most appropriate under the circumstances, to deal with the attack or attacks 
present The selection of responses by the filters would be said to constitute the "policy" of the SPU. The present inven- 
55 tion permits a wide capability in all three of the detectors, filters and responses, allowing a great degree of flexibility for 
programming ah appropriate level of seeuruyypolicy into an SPU^based application. 

[0113] The effectiveness of this PDP3 trio is enhanced significantly by the other design features of the SPU architec- 
ture disclosed herein, for example: the Power Ho* 13, Power feolation 13 ; Silicon Firewall 20, System Clock 2 and 
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Real Tirr - ~'ock 5. and the Inverting Key Storage. Although the implementation of some of these features creates secu- 
rity bams? . which do not strictly fit into the detector/fitter/response paradigm, the presence of these barriers certainly 
slows or even thwarts an attacker's progress/allowing for more time to detect an attack, filter cut the characteristics of 
such attack and thus make a more measured response thereto. 1 c 

5 

i. Detection. 

[01 1 4] A wide variety of detectors have already been disclosed -- some implemented in hardware, others in firmware. 
Some may bear witness unambiguously to an actual physical intrusion into the SPU, such as the Metallization Layer 
10 Detector 18; others such as the Photo Detector 16 may be triggered by noninvasive means such an X-ray of the SPU, 
. or by very invasive means, such as the actual de-encapsulation of the chip. Again, the purpose at this stage is not to 
decide on the course of action, nor even to coordinate all related information; it is simply to report the detection and 
move on. 

[011 5] Referring to FIG. 18, the process of how detectors are generally handled will now be described. The process 

15 begins 451 by a decision of whether ihe detector signal is generated by hardware or firmware 452. The exact nature of 
how this step is taken is unimportant. Here it is represented by an interrupt generated in the Micro Controller 3. but it 
could just as ea$iiy ; t>e-based on some periodic polling of registers or any other equivalent method well-known to prac- 
titioners in the art Even tfie distinction between firmware and hardware detectors is at a certain level irrelevant as the 
parallelism present in F\0. 1 8 shows. If the interrupt was generated by hardware, the Status Register 1 1 would then be 

20 polled 453. In this implementation, the key to determining whether indeed any hardware detector was activated was that 
one or more bits of the Status Register 1 1 should have changed from the last time it was read 454. If so, the SPU could 
then take actions as dictated by its programmed poiicy 455. If not, either an error has occurred owing to a false detec- 
tion or certain operational features are in play, such as the signal owing to a periodic wake-up of the SPU under battery 
power. In either case, action dictated by policy, given such an error or feature, should then be taken 460. Alternatively. 

25 at step 452, had the signal originated in firmware, the process would set about determining the routine generating it 
461. If such routine proved tp.be a valid one 462. again action should be taken as dictated by policy 455. Otherwise, 
action consistent with this error or possible feature should be taken, again as dictated by policy 463. Ail the aforemen- 
tioned scenarios thereafter converge. If, in accordance with one alternate embodiment disclosed herein, an alarm 
wake-up capability is provided, arid the process was invoked owing to such an alarm 456. the process would then gen- 

30. erate the SLEEP 41 signal 459 and terminate 458. Otherwise, the process would return from interrupt or whatever 
housekeeping required in accordance with the particular implementation used "457 and then terminate 458. 

it. Filtering . 

35 [01 1 6] The programmable filtering process lies at the heart of PQPS; without it one merely has hardwired and indis- 
criminate responses to various attacks. With reference* to FIG ; 19, this process itself consists of two stages: (i) correlat- 
ing signals produced by the various dietectors to ascertain the attacks involved (FIGS. 19(a), 19(b), 19(c)); and (ii) 
based on the attacks involved. to.select.an appropriate response (FIGS. 19(d), 19(e). 19(f)). There are, of course, oper- 
ational factors involved at both stages of this process. These factors may be static and intrinsically related to the type 

40 of application, the architecture of the SPU, etc.. or they may be dyriamicaliy varying and related to, for example: (i) the 
. prior history or frequency of detected signals, responses, or all events; (iij'the present state of the SPU; (iii) the present 
. . stage or mode of the application; (iv) the potential harm a given attack may represent; or (v) combinations of factors or 
detectors, tor exairple. coming from a given set, occurring in a particular order, or occurring within a fixed time frame. 
[01171 The conditions whereby the detectors are correlated are as follows. In FIG. 19(a). a false alarm condition is 

45 shown. A signal is detected, D a 501 , without corresponding to any real attack, Aq 502. There are various means by 
which such a false alarm could be discerned. For example, the detector producing the D a 501 signal could be polled 
. once more to determine whether the first reading was spurious or not Alternatively, it may be inferred from the state of 
other detectors. Such a scenario .will be discussed jn the context of FIG. 19(c). FIG. 19(b) demonstrates an opposite 
extreme, where a signal D b 503 corre^rxis unam^guously to one attack.. At, 504. However, most attacks will be char- 

so acterized as in FIG. 19(c), where each of one or more detectors, D c1 505, D c2 506 and 507, in conjunction with zero 
or more factors, F c1 508. F c2 509 are require to fully characterize a given attacK A^ 

[0118] The selection of responses to attacks fall into the following categories. There is, of course, the non-response 
R 0 512. in FIG. 1 9(c3), whereby no action is taken for a given attack. Ad 511 This may owe to a lack of capability, a delib- 
erate design choice, or an application decision. In FIG. 19(e). analogous to the unambiguous condition of FIG. 19(b). 
55 there is the unconditional response R 0 514 to an attack A* 51 3. This may represent a last-ditch scenario, where all outer 
defenses have been breached and some unequivocal and serious countermeasure needs to be taken. On the other 
hand, it may also be an application decision. Finally, in FIG. 19(f). there is the general scenario where one or more 
attacks, A^ 515, Ac 516, in conjunction with zero or more factors, F f1 517, F G 518, F^ 519, must have been or are 
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present i^ pqder to select the response R* 520.. 

[01 1 9]* By custom tailoring the correlation of the detector signals, as well as the selection of the responses, a program- 
mable security system can be application-^ wellias ertviror^ent-specif ic. 



5 iii. Responses. 

[0120] .The final system of PDPS involves the provision of a wide variety of responses, to allow for a rich and full set 
of countermeasures to any. conceivable attack scenarib. These responses cain be categorized into frv6 major groups: (i) 
passive; (ii) alarms; (iii) decoy activity; (iy) restriction 61 access; and (v) destructive. Examples of each are given in 
to TABLE I, which is meant to be an illustrative, buiby ; nq means ! extausfiveL list. fc . , ' ' ' . . 



TABLE I 



, v. -,. - ■ ■ ..Examples ofTypical Responses 


Passive ~ 


Alarm 


Decoy - > : ' 


Restricted Access 


Destructive 


• Non-response ; 

• Log attack inter- 
nally ' ' f " 


Signal local compu- . 

ier ... 

'•Sign's! remote com- 
puter ■ 

• SeS I/O Port pin high 


• Random command 
.response ... 

• Ftendom external 
busactivity * 


• Disable SPU for ; \ 
period of iirne ' 

• Require reeertifica- : 
lion . i ■ : .;.-,:«?- 

• Disabling use ot 
keys, passwords... 


•Destroy keys 

♦ Destroy secret data 

• Disable SPU per- 
maneittjy 



[0121 J A passive response would be one where ^e SPU conveys to external signal observable 
manner differently from its normal rncKte of dperatibn/This wojld of course include the* dassic ^non-response" dis- 
cussed eariter, 1x4 al^o an 6n-bpard.lbgging of the attaick with, its type, timestamp. conligxt. etc. 
. [0122] An ajarm response would inde^ c^nyey an ^erriallydeftec^e siahai. The SPU may signal the calling appli- 

3o r L cation, for instance, to a^rt the user that the SPU is r aware of the attack and may have to proceed to more drastic meas- 
ures if such attack is not discontinued. In a situation where the SPU is connected via a network or modem to some 
monitoring computer, as for example, in an information metering context, the SPU may signal that rempte computer to 
tell that the local user is attempting to attack it. On the hardware level, an alarm may be implemented simply by setting 
a particular pin ^on. the I/O Port 1 high. 

35 [0123] A decoy, response j$ one that disparts from the normal mode of SPU abtivity. it may indeed mimic valid SPU 
activity. Examples would be* to execute SPJU commands, or to generate signais on the External Bus Interface 9. either 
selected at random or, from swme ^^eterrriined siat. . _ . . . . 

[0124] A resfrtcted/arcess response*, would be to disaibie sdm'e functions from the nb'rmal mode of SPU operation. 
Exarrples indude disabling th§ SPU totally for sbme period of rime 6? until recertified in sdme manner, or disabling 
40 operations irwMng specific'^ /" 1 

[0125] Finally, mere is the de^ctrye response, which disattes fiihcfionaiity of' the SPU permianently. Examples 
include destruction in, memory, by* erasirig k#yis or "otto s^et date, or permanent physfdai disabterhent, such as the 
burning.out of internal fuses.. . .'*" "... , p /. ' 

45 d. Attack Scenarios. . f \ \ 

[0126] Now that the overall structure of the invention has been laid but, it i6 frurfful to describe inf detail the various 
attack scenarios, the manner in which they are <»ndUct€d, tiie information or effect they wish to achieve or access, the 
design features of the SPU that would thwart sUbh ah ^attack fectdrs that are retevarrt in reacting to such attacks, and 
so f inally, responses appropriate to such an atteck. A Surrjtrnary of the 'applicable disclosed SPU features, detectors and 
responses is to be found in TABLE, IL Th^^er^riw are by no m^ns exhaustive, but merely illustrative. All further 
references, unless specified otherwise, are'to eleiterrte of FIG..?': * \' ' ; ^ 
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TABLE 



Summary of Attack Scenarios 


Attack Type 


SPU Protective Feature(s) 


Triggered Detector(s) 


Suggested Response(s) 


Electrical Attack oni/O 
Ports 


• Silicon Firewall 20 

• Alarm vyake up 


• Bus Monitor 

• Trip Wire Input 

• Software Attack Monitor 

• Metallization layer detector 
18 

• Photo Detector 16 


• Random command 
response 

« Random external bus 
activity 

• Disable SPU temporarily 

• Disable SPU permanently 


CAat it Attack 


» Silicon Firewall 20 

• System Clock 2 

♦ Real Tim© Clock 5 . 


• RTC Rollover Bit 

• Monotonicity test 

• System/Real Time Clock 
cross-check 

• Temperature Detector 17 


• Use other clock 

• Disable metering func- 
tions 


Kay Attack 


• Bslery-backed RAM 8 

• Metallization layer 

. • Inverting kf y storage 


• Metallization layer detector 
18 

•Bus Monitor 

• VRT Security Bit 


• Disable use of keys 

• Destroy keys 


Physical Attack 


• Physical coating 

• Metallization layer 


• Temperature Detector 17 

• Photo Detector 16 


• Disable keys, secret data 

• Destroy keys, secret data 


, Combination Attack 


• Any/all of the above 


• Any/all of the above 


• Anyteil of the above 


User Fraud 


• Silicon Firev%a!!.2G 

• Power Block 13 


» RTC Rollover Bit . 

• Monotonicity test 

• System/Real Time Clock 
cross-check 

> VRT Security Brl 


• Signal Local Computer 

• Signal Remote Computer 

• Disable metering func- 
tions 

• Require recodification 



70 



15. 



SO 



25 



30. 



35 



40 



45 



50 



55 



i. Elec tric?' Attacfc on l/ QMrfe 

[01 27] Arguably, the simplest form of attack would be an electrical attack on the I/O Port 1 . This type of attack requires 
very little special hardware. The attacker simply uses the same system configuration that is used in the normal applica- 
tion, however irwtead.of using the intended software, the attacker creates his own code to interrogate the device. The 
attacker could go one step further and place monitoring equipment on strategic points in the circuit, as for example, the 
SPU pins or PAL outputs. This would allow the attacker to more thoroughly characterize the chip in its normal operation, 
and when it is under attack. 

[01 28] The typical approach would be to monitor the hardware or software for some period of time during normal oper- 
ation. From this the attacker could determine the normal command sequence. After this characterization, the attacker 
could then create his own command sequences based tin the information he has obtained. He could try to slightly mod- 
ify the commands or the command operators to get the device' to perform different functions. He might also try to issue 
commands that he did not see before to see how the devibe would react All during this process the attacker would be 
recording the responses to the different stimuli, ^ patterns are detected, the data that is issued to the device is no 
longer random but designed to further. evaluate the particular pperation. This continues until a particular operation is 
fully characterized. It would be the attacker's intention to identify commands or responses that could defeat the overall 
system. For exarrple, the attacker might be looking for a reset operation commard. and could then issue such com- 
mand at inappropriate times- ^* 
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[0129] The Silicon Firewall 20 would prevent asynchronous signals from the attacker overwhelming the system. The 
Software Attack Monitor (FIG. 17) would be very sensitive to the overall characterization process. Possibly appropriate 
responses, in accordance with the measured stages of the Software Attack Monitor, would be to lead an attacker astray 
with random/esponses, or eventual disablement of the SPU. 

ii. Clock Attack. " ; \" V ' ' 1 ' " ' 

[0130] Many applications of the SPU cbuld employ the Real Time Clock 5 advantageously, as for example in informa- 
tion metering. However, the Real Time Clock 5 could be attacked in a variety of ways. The external crystal 15 could be 

w substituted to modify the frequency of the RTC. Oscillator 15 and hence the internal Real Time Clock 5. The SPU is 
designed to perform integrity tasks, one of Which is to check the Real Time Clock 5 against the System Clock 2 to see 
if it is operating in the correct range (FIG. 14(a)). However, in one embodiment, these integrity tasks would be per- 
formed only when the entire . system is ppwered; when system power VDD 22 is removed, when only the battery-backed 
Real Time Clock 5 remains operational. It js ilthis ppportunitylhat an attacker coukj attack the external crystal 1 5 with- 

15 out immediate detection. As the Real Time~Giock 5 uses a simple binary ripple counter, an attacker could advance the 
. counter unti! it roiled over. Subsequently, , the attacker could continue to run the clock forward to whatever given time 
reading he wished. This is analogous to the resetting of the odbmefer of a used car by an unscrupulous dealer. 
[01 31 ] The inaccessibility of the Internal System Clock 2 to attack; and the Real Time Clock 5 buffering the time signal 
through an internal Silicon Firewall, certainly stand as barriers in the attacker's way. The System Clock/Real Time Clock 

20 cross-check of FIG. 1 4(a)-would detect any switch on power up. tf an attacker tried to set the System Clock 2 Off by cool- 
ing or heating the SPU the Temperature Detector 17 would give such approach away t as well as a clock cross-check, 
hitherto surcessfolly/^rrtua^^ outside the operational tolerance. Furthermore, <ari attacker attempting 

to rollover thefleal Time Clocks would cause tye ROLLOVER 34signal jto go off. A possible response would be to use 
the System Clock 2 to whatever extent possible in lieu of the Real time Clock 5 should that dock prove untrustworthy 

25 However, that option is highly applicatibn^eperident, in an information metering context. A more likely response would 
be to disable all metering functions. : . . 

iii. Key Attack. , 

so V; [0132] " Secret-information is stored in volatile memory; such as RAM 8 within the SPU. rather than ROM 7. This is 
done to prevent an attacker from gaining access to this jrferrnatiori by simply de-encapsutatirig me SPU chip and M read- 
ing" the schematic. However, when toys or other such secret information are stored in volatile memory within a chip, 
one can deprocess the chip and detect residual charge in the volatile memory which may reveal the contents stored 
therein. The act of deprocessing would causepower to be removed from the volatile memory, thus causing the data 
: 35 within the memory to be lost, as the charge de6ays within the semiconductor. However, if the volatile memory contains 
-the same data for a protracted peririd of time, charge may build up in the dielectric portion of the memory cell, charge 
which may be feasible to detest despite removal of power. Also, it may be possible to artificially age the memory device 
by elevating the voltage and changing the operational temperature otthe^iiicon, thus nraking the SPU even more sus- 
ceptible to this memory effect 

40 [0133] Asdescribed earlier, the Inverting Key Storage (FIGS. 9, 10) feature would thwart such key attack by averaging 
out any residual charge. The de-encapsulation process would be rercJefecl^ote difficult by the presence of the Metal- 
lization layer and the Metallization layer detector 18 would be set off the moment such layer was cut. The protocol of 
the Bus Monitor Prevention (FiQ. 15), transferring only parts of keys frbrii 8 to the DES Block 6 via Internal Bus 
1 0 would hinder tracing the keys, as well as giyjhg jawaiy such attempts. Possible responses might be to disable the keys 

45. ; orothersecretdmafromuse,or.whWe^ 

them Active zeroization could be used tq assure such process of erasure is complete. 

iv. Physical Attack. . , ....... iC , ... . .'V'.'/' *" 

so [0134] An attacker might try to d^npapsutate A in order to revere eri$neer it Simple ^ observation of the chip 
layout car) jead^one experienced injbe ^to dkeFmnrie ' wt&tf^elMi^o Contrcrfler 3; I/O Port 1 . memory, etc.. are 
. located. Recognising the pedigree of a chip, *\£ Rowing i the nfwinufectuVe^f krtd \ ienes number and prior chips there- 
from, can also .^id in the reso^o" f u "^9^^ latf dcwn randomly; others such as RAM and 
ROM are wel!4aiown and normally laid doyn in V^flufer. patterns via' chip design macros, meaning that large areas of a 

55 chip need not be reverse engineered. D^taSed resplu^cyi.pf ;thb"<^; layp can result in reverse engineering of a chip, 
a process that migW cost asm . ; \ v 
[0135] Semiconductor industry evaluation tools now provide the capability of making edits to 4n integrated circuit after 
processing has been corrpleted. For example, Focused Ion Beam Mill technology has advanced to the point where the 
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equipment is capable of selectively removing or depositing material on the surface of an integrated circuit. These 
devices can remove layers of metal and oxide and also iay down layers of metal on the integrated circuit's surface. 
These devices are ostensibly used to debug integrated, circuits by cutting metal traces that connect logic gates and by 
reconnecting the logical gates in a different manner. It is feasible to lay down internal probes; however, it is less costly 

5 and less difficult to modify an existing 1/6 port 

[01 36] This kind of attack would first be thwarted by the physical coatings on the SPU, then the Metallization Layer; 
both acting to make difficult f the» process of ascertaining the chip iayout and to actuate a connection of a test probe to 
nodes within the SPU. Such an attack would likely trigger the Metallization Layer Detector 18, the Photo Detector 16, 
and running the altered circuit live under system power VDD 22 would likely trigger the Bus Monitoring Prevention (FIG. 

10 15). The same responses as given above would likely be appropriate as well. The actual act of de-encapsulation 
v through grinding can create enough heat to trigger the Temperature Detector 17 as well as set off a vibration detector, 
and again, unless done in total darkness, exposure of the die. would set off the Photo Detector 16. Disabling or even 
destroying the keys and secret data seem the most likely, responses to such a scenario. 

•i ...... 

15 v, Combination Attack. , : . . ■ - - . • . \ . 

.[0137] Deprocessing is. a sophisticated process, requiring first de-encapsulatibn and then placing the chip, under 
power, on an ion probing station. Such a machine can actually detect voltage potentials at different pans of the chip, 
resolving the operational characteristics thereof. The probe cannot observe, through a Metallization Layer; however, this 
; sc would only serve to slow such a machine down. The machine can also' be used to remove the Metallization Layer and 
thus uncover previously secure areas. Theattacker might even try to reconnect any broken traces in the Metallization 
Layer before attempting to access secret information. .^ t .. 

[0138] This attack would be slowed by practically every SPU protective feature,' trigger practically all the aforemen- 
tioned detectors, and could certainly be frustrated by any of the responses discussed and more. No guarantee of abso- 
25 lute security can ever be made, but as here the SPU, subject to the full range of defenses, would make an attack so * 
costly in time and money, as to make the whole attempt pointless for the types of applications,contemplated. 

vi. U ser Fraud . 

so [0139] The thrust of user fraud is not to reverse engineer the SPU; that is chiefly the province of parties wishing to 
reproduce compatible or competing SPU products. The fraudulent user instead wishes to use products incorporating . 
an existing SPU outside of its intended use, e.g.. not paying, or being wholly undercharged, for information used 
through an information metering device, which is a likely fraud scenario. Thus, such a user may try simple operations 
such as trying to rollover the clock, or by resetting the device at various operational stages, a user might hope to inter- 

35 fere with usage reporting or metering. Furthermore, also in the information metering context by trying to overwrite the 
: RAM 8, after a large, purchase, wrth the contents of : the same RAM,8 ; from before the purchase, a user might hope to 
erase the traces of such transaction. 

[0140] The Power Blocks 3, with te powering up and down mechanisms, the Silicon Firewall 20, and the Software 
* . Attack Mcnitor (FIG. 17), give an attacker little opportunity for throwing the SPU into an unpredictable or unreliable state 

40. by inopportune resets, as discussed before. The : protection of the ROLLOVER 34 signal and the clock cross-checks 
have also already been well described. , ^ , 

[0141] In the information metering context, usage might be based on preset credit limits, that should the SPU unit 
fail, it would be presumed that the credit limit had completely used, and thus the metering functions would be disabled. 
The user could only overcome this presumption by physically turning oyer the. unit to whatever servicing agent to prove 

45 it had not been tampered with* or by remote interrogation via modem for instance, and thereafter have the servicing 
agent would recertify the SPU device. 

e. Sarrrote* SPU Application, r „ ;t: - v 1 

so [01 42] Now that the architecture of the SPU, the nature of the detectors, the detection/f iltering/response paradigm of 
PDPS, and the nature of expected attacks have been discussed, it would be useful to proceed through a sample appli- 
cation which illustrates the principles of the present invention. For this purpose, a modest application is postulated: the 
use of the SPU-equipped PCMCIA oard. an "access card", whose sole function is to provide digital cash. It thus oper- 
ates a simple debit-type card, programmed with a certain amount of money, and debrted, through use of a PIN number 

55 in various transactions, until the entire programmed-in credit has been exhausted. 

[0143] The detection/filtering/response process for this access card is as shown in FIG. 20. It is by no means meant 
to be comprehensive, nor necessarily truly realistic, but simply illustrative of the application-specific demands placed 
upon programmable security. References herein may also be made to other figures.or particular elements present in 
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FIG! 1 . The process starts 10C 1 by detef mining Whether any detector has been set off 1002. If hot, the process loops 
bacfc to Vofe, preferabty performiHg all the other tasks necessary to the application in the interim. • 
[0144]. v If the Photo Detector 1 6 i$ set off. 1 0Q4, the next inquiry is whether such detection is susiaihed over a period 
of time 1034. For example, the access card may have been briefly passed through an X-ray machine at the airport. 

5 Such exposure should be very short term. Thus, if the exposure is not sustained, the event should just be logged 1 042 
. and the process returns, through connectors 1 043; 1 003 to step 1 002 (all references to connectors will henceforth be 
dispensed with for the sake ol clarity). If the exposure is sustained, the next inquiry is whether this detection is in con- 
junction with other detectors going off. This may be the hallmark of many of the attack scenarios discussed earlier. If 
there is sustained photo detection in isolation, it is suspicious enough on its own that a prudent step might be to disable 

7d the access card until it is recertified by an appropriate agent 1034, and thereafter the process loops back to step 1 002 
until further action is taken. Combihed wfth other detectors going off, however, it might be best to disable the access 
card permanently 1036, arid the ^ prode^ would thus end theVe 1037. / ' ■ ■'• 

[0145] If the Temperature Detector 17 is set off 1005, ii may then be ohfy necessary to ask whether it occurred in con- 
junction with other detectors going off 1030. This differs from the Photo Detector 17 scenario in that it is more likely that 
75 an access card would be subject to high heat for innocuous reasons, as for exarnpte. the liser ieavirig the access card 
on the car dashboard all afternoon. Thus, the application would be more forgiving to mere sustained high temperature. 
: In that base, the ^pf^t^iiiv^ log the event 1042 arid iddp backto step 1CX>2. Combined with other detectors 
going off, Ymay^ 

[0146] If the Met^iizatitfn Layer Detector 1 a is set off 1006, it would be hard fo' justify anything '-but a harsh policy to 
2d such an event, such as tp^isable the access 'card permanently 103iB. An^exceptibn woifld be where the Metallization 
Layer Detector 18 wWe : 6f flhe LATN cell type (FIG. 1 3); which* is so sensitive that oiher detectors should be correlated 
to make sure that a serious ajtack is indeed, being made on thd aw^ cahi. v > 1 r 

[0147] If either "the RbLLOVER 34 signal or the Ctock Integrity Check (FIG. I4(afj) is triggered (steps 1 008,1 009 
respectively), it n^a^be ££fe I 4im^y W ignore Ih.em 1028 arKllocp 

'25 five application. ; ! f " ' .•'-:-.,■<■ 

tbl48] If the Power Integrity Check (FIG. 14(bj) : is triggered 1010, two situations are possible: (i) the error state; or (ii) 
the low-power state. In the error state, the contents of RAM 8 are no longer trustworthy, which merits that the access 
card be disabled permanently 1036. in the low-power state, the RAM 8 contents are still trustworthy, but the battery 
power may soon fail, which therefore merits a message to the user to the effect that if the credit is not soon transferred 
30 ' to another access' card, it h^y be irreparably fost 1026. In the latter case, the process Would again loop back to step 

"V : . 1002., ' ;" : ' ' * " r: ' • - "* ::: • ' '■' \"' : 

" J0149] Ifettherthe^ 
5 ' : ' ' tion to do otherwise than to disable the access card permanently 1 036. 

; [0150] If the Software Attack Monitor (FIG. v 17y is triggered 1014, a logical first step would be to determine if the 

" 35 access card is still in the handshaking 'phase 101*6. This would cbrres^csnd, for example, to the access card being 
inserted into a card reader and various protocbls attempted until a proper link is established between thecard and the 
card reader. In other words, this "handshaking" process should be exduded from serious 7 security consideration. There- 
after, a particularly important corhmahd that the acx^carif should be focused uporr is the proper PIN number being 
issued by the user. Thus- the first time an inrqDroper<^mand is giyeh^within the period of one transaction 1018, the 
40 process may sinpty log the event" 1 042. the second time an improper -command is received within the period of one 
transaction 1 020. the access card may issue a message to the user warning them not to do it again 1 024, after which 
the process would again lodp backlb step 1002. The third time an improper command is received wiihin:the period of 
one transaction 1 021 , the ac&ess card may WdisaMed until recertif icatidri by ^appropriate agent 1 039: otherwise, it 
should be disced perman^nay I056f 1 1 r •■- ' 1 ■ "* /: " 1 

45 [01 51 ] If none of the above detectors istriggered , the process would loop; back again to step 1 002 to await further 
detected signals. 

[0152] Although the invention has been described in detail with reference to its presently preferred embodiments, it 
will be understood by one of ordinary skill in the art that various modifications can bemade, withbtrfdeparting from the 
spirit and the scope of the invention. Accordingly, it is not intended that the invention be limited except as by the 
so' aippehded claims. ' " ' * : } ? ' " ^ >;,J '- rr "^"' n y 

Claims ^ ' " *\V **"' ' ' . ; V 

1. A secure cryptographic chip for processing artel storing sensitive' information, including messages received and 
55 generated by the chip and keys used to «n&ypt and : decrypt the messages, and tor securing the information 
against potential attacks, the c^ip comprising: - ^ 

(a) a CTyptographic engine for perforrriing aypiographie operations oh messagos using a f irst key; 
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(b) one or more detectors for detecting events characteristic of an attack; and , _ 

(c) a plurality of potential responses to detected events, whereby sensitive information is unencrypted only on 
the chip, where it is secure from attack. 

2. A chip according to claim 1 and including a programmable filter for correlating detected events with one or more 
operational factors and for selecting and invoking one or more responses based upon the correlation. 

3. . A chip according to claim 1 , further comprising a key generator for generating a second key used by the crypto- 

graphic engine to perform cryptographic operations on the first key. 

4. A secure chip aocording to claim 1 and further comprising: 

(a) an internal system clock for synchronising functions performed on the chip; and 

(b) an external signal synchroniserfor synchronisinQto the internal system clock all asynchronous external sig- 
nals received by the chip, 

whereby the chip cannot be placed in an unknown state due to the receipt of asynchronous external signals. 

5. A secure chip according to claim 4 wherein the external signal synchronizer synchronises asynchronous external 
signals by accepting and using the signals only at selected times determined by the internal system clock 

6. A chip according to claim 1 and further comprising: 

. (a) an interna! bus for transferring infornration arrorg con^ 

(b) an input/output port for transferring information between internal components of the chip and external 

• devices; and 

(c) a bus monitor for periodically comparing the contents of the input/output port before and after the transfer 

of irrformationalofj^^the^internalibus, ., . ~ 

whereby the chip can detect unauthorised rerouting, to the input/output port, of sensitive information transferred 
along the internal bus. 

7. A chip according to claim 6 wherein the bus monitor compares the contents of the input/output port before and 

■■after: . • . , .- • . ■ • 

(a) a fire transfer d less than ell of the sen 
and 

(b) a second transfer of the remaining sensitive information, jf no change in the contents of the input/output port 
is detected following the first transfer, 

whereby the chip can effectively prevent the unauthorised rerouting, to the input/output port, of sensitive informa- 
tion transferred along the internal bus. 

8. A chip according to claim 1 and further comprising: 

(a) a real time clock controlled by an external clock crystal having a substantially consistent external clock cycle 
frequency; 

(b) an internal system clock for synchronising functions performed on the chip, the internal system clock cycle 
frequency within a predetermined range of accuracy; and 

(c) a clock integrity checking means for causing the chip to perform a reference operations requiring a prede- 
termined number of internal clock cycles elapsed per actual external clock cycle during the performance of the 
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reference operation, whether the' nuriber of elapsed actual external clock cycles lies within the range of 
expected external clock cycles, 

whereby the chip can detect unauthorised tampering with the external clock frequency. 

A chip'according to claim 1 and further comprising: ' '[ - ! 

(a) a real time clock controlled by an external clock crystal having a substantially consistent external clock fre- 
quency, the real time clock having a counter for counting the number of elapsed external clock cycles; 

(b) a rollover detector for detecting whether the real time clock counter rolled over; and 

(c) a rollover bit, set upon detecting that the real time clock counter rolled over, 

15 whereby, if the rolling bit is set during an operation not expected to require a sufficient number of external clock 
cycles to cause the Counter "to roll over, the chip wili d&edunaLrto with the external clock fre- 

quency. f " ' : 



10. A chip a^rdin^ tb claim v . 'k 

(a) a rewritable memory for storing sensitive ihfomiation; ■ ' : 

(b) a power loss detector for detecting that the loss of both system and battery power is imminent; and 



25 (c) a VRT bit for indicating the sufficiency of system and battery power following the loading of sensitive infer-- 

mation into ttie rewritable memory, the VRT bit being set upon the tearing of the -sensitive information into the 
^rewritable memory and reset upon the detection of power toss. 

whereby the chip can detect the need to save the sensitive information prior to the actual loss of both system and 
30 battery power. . .. 

1 1 . A chip according to claim 1 0 and further comprising a rewritable memory modif icaton detector for detecting modi- 
fication of the rewritable memory, whereby the chip can detect the need to reload the sensitive information into the 
rewritable memory. ...... v > : 



35 



12. Achip acwrding to claiml wh^ein the chip comprises: 

(a) a rewritable memory for storing sensitive information having a substantially constant value; 

40 (b) a memory Inverter for periodically inverting the contents ot each cell of the rewritable memory; and 

(c) a memory state bit for indicating whether the contents of each cell of the rewritable memory are in their 
actual state, or in the inverted state, 1 * - c • .- f ; 

45 whereby the contents of the rewritable memory contain effectively no residual indication of the constant value of the 
sensitive information. ,! . . . ■ ; « < 




BNSOOCID: <EP 096S902A2_I_> 



23 



F.P 0 965 902 A2 




FIG. 1 



20 SIUCON FIREWALL 



24 



8NSOOCI0: <£P_09eS902A2J_> 



NSTOCID: <EP„0965902A2_L> 



EP0 965 902 A2 



INPUT 



-716 



717- 



710 

/ 

OUTPUT 



J — 7i; 



RG. 3 




■714 



720 



722 



724 



/ 
732 



J, 



\ 
726 



/ 
727 



\ 
734 



728 



1H 

729 



RG. 4 



\ 

730 




RG. 5 



26 



BNSDOCID: <EP 0965902A2_L> 



EP 0 965 902 A2 



CNI 

to. 



o 

CO - 



] — r~ 



in 
in 






> — 




UJ<Q 


o 




o 

J 


QO 








a. 



o 



i . i CO 

8~ 





OSCJREQ 
172 







5 -Q 



a. 



1 oi£ 



<_3 



CO 



CM 



85 



CM CM 



CO 
ZD 



BNSDOCID: <EP 0965902A2_I_> 



27 



• 



EP 0 965 902 A2 



.301 



INTERNAL 



CL0CK.RTC 



CLEARRTC 



305 



302 



RIPPLE COUNTER 



304 



BUS. INTERFACE 
AND DECODER 



SC 
307 



cm 



"303* 



25 



32 



15 



sfc ; 

306^"-" 



ROLLOVER 



SYNC BLOCK 



SC 



SFp 



ROLL- 
OVER 



0SC_0N 



RTCLK 



42 



29 



310 



i COUMTDOVW, COUNTER 



■ ; 




i ; 


i 


i : 


t ".. 


< i ' 


i 


i . 


i 
i 


i - i 


*r. 
i 






• : : 
; =t • 




i 


.1 





34 



309 



308 



i 

i • 
i 



— 38 
ALARM 



FIGL 8 



29 



BNSDOCID: <EP 0965902A2J_> 



BP 0 965 902 A2 




YES 



EXECUTE OTHER 
FIRMWARE 
PROGRAMS 



r 



800 



802 

i 



DISABLE ACCESS 
TO THE KEY 



-808 



INVERTING All 
THE BITS OF 
THE KEY 



-810 



CHANGE THE 
KEY INVERSION 
STATUS BIT 



-812 



ENABLE ACCESS 
TO THE KEY 



-814 



I __-L__ J 



FIG. 9 



0965902A2 I > 



30 



' EP 0 965 902 A2 



•864 



866 




FIG. 11 



BNSDOCIO: <EP 0965902A2_I_> 



31 



ER0965 902A2 




BNSDOCID: <EP 0965902A2_I_> 



32 



EP 0 965 902 A2 




902 1 .-903 



FIG. 12 



925 
/ 



927 9 , 28 



926 




922- 



929 




924 



J~ 932 



FIG. 13 



BNSDOCID: < E P 0965902A2J _> 



33 



EP 0 965 902 A2 



( START Y 



551 



READ BACK 
LAStRTC ' 
READING . 



552 



IMONOTONIOTX. 
TEST] 



{CLOCK 
CROSS-CHECK] 




> 553 





N 


. RECORD 


PRESENT 


:~ TIME AS 


'"' RTC READING 



V554 



PERFORM RXED 
SYSCLK DURATION 



555 



RECORD 
PRESENT TIME 
AS END READING 




•556 



FIG. Ha 



SIGNAL 
SECURITY 
PROBLEM 



560 



557 • 




-559 


SIGNAL 
SECURITY 
PROBLEM 


' N 











34 



BNSDOCID: <EP 0965902A2_I_> 



* 



EP 0 965 902 A2 



( START 



POWER, UP, 
INITIAUZE-SPUJ. 



252 



\ {NORMAL 
OPERATING ~" 

EXECUTE ONLY 

COMMANDS 
THAT RESTRICT 
ACCESS TO 

SECRET DATA 



PERFORM 
MODIFICATION 
s •DETECTION; vJ' 




{SECURED 
LOW-POWER 
STATE}- 



SIGNAL 
SECURITY- ' 
PROBLEM 



258 



I .SIGNAL 
PROBLEM 



,:..r,V 



FIG. 14b 



T 

261 



C END 3 " 



257 



{MANUFACTURING 
STATE} 



ZEROIZE ALL 
SECRET DATA 

AREAS. 
USE DEFAULT 
CONFIGURATION. 



A 
262 



ENABLE 
MANUFACTURING 
TEST AND SET 
CONFIGURATION 
COMMA NDS. 



263 



PERFORM 
MANUFACTURING 
TESTS 



264 



LOAD 
SECRET DATA, 

STORE 
MODIFICATION 

CODE 

T 



265 



SET VRT=1 



T 

266 



35 



BNSDOCia <EP_0965902A2J_> 



EP 0 365 902 A2 



351 START ) 




READ BACK 
OUTPUT PORT 
REGISTERS 



FIG. 15 



SAVE -IM • 
TEMPORARY 
STORAGE 



MOVE TEST 
NON -SECRET 
DATA 



-355 



-356 



OUTPUT PORT 
REGISTERS . 



•357 



TRANSFER • 
DATA ON BUS 
CONVENTIONALLY 



■353 




MOVE NEXT 
PART OF SECRET 
DATA 



36 



BNSDOCID: <EP 096S902A2_I_> 



EP0 965 902 A2 



( ... START y 



■ 401 



FIG. 16 







"SET I/O" PORT 
BIT. X^OjI. 









■402 




C-- :..EKD r 



37 

BNSDOCID: <EP 09659O2A2_L> 



EP 0 965 902 A2 



940 



^ START ) 

1 - 
SET VALUES 
OF THE 
LIMIT 
PARAMETERS 



'942 




CALCULATE 
NUMBER OF 
INVALID 
COMMANDS/UNIT TIME 




PROCESS 
VALID COMMAND 



948 



SIGNAL 
FIRST LIMIT 
SECURITY PROBLEM 



SIGNAL 
SECOND LIMIT 
SECURITY PROBLEM 



..SIGNAL 
THIRD LIMIT 
SECURITY PROBLEM 



SIGNAL 
FOURTH LIMIT 
SECURITY PROBLEM 



-954 



-958 



-962 



•966 



FIG. 17 



38 



EP0 965 902 A2 



POLL 
STATUS 
• REGISTER 


HARDWARE f 












N 

1 '■: <c 

■ : - i i ■ 


^460 


TAKE ACTION ' 
TO ERROR 
DICTATED BY . - 
POLICY -J 





( START -3 




FIRMWARE 



TAKE ACTION . ; 
AS DICTATED^ 
BYPOUCY • 



.455 




ASCUTAIN 
ROUTINE 



461 




TAKE ACTION 
TO ERROR 
DICTATED BY 
POLICY 



-463 



RETURN FR OM 
INTERRUPT 



ISSUE 
SLEEP 
SIGNAL 



•459 



fig: is 



BNSDOCID: <EP 0965902A2_L> 



39 



EP0 385 902 A2 





" 1 EP 0 965 902 A2 




FIG. 20a 



41 



096S902A2 I > 



EP 0 965 902 A2 



DISABLE 
UNTIL 
RECERHF1CAH0N 



1040 





KEY TO FIG. 20 



FIG. 20b 



1023 



BNSDOCID: <EP__09659Q2A2_I_> 



42 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 



Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 



LJ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 
IB. FADED TEXT OR DRAWING 

□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 



i 



Page Blank (uspto) 



